Secure remote/local access

Neptune-Crypto · Feb 11, 2025 · 10a3b04 · 10a3b04
1 parent 9adfea4
commit 10a3b04
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/docs/src/neptune-core/rpc.md b/docs/src/neptune-core/rpc.md
@@ -17,9 +17,9 @@ The RPC server allows other programs to interact with a `neptune-core` node incl
 
 - Securing the executable : Since the RPC server runs on the same executable as `neptune-core` it is important to secure the executable to prevent unauthorized access. This can be done by setting the appropriate permissions on the executable and using a secure operating system.
 
-- Securing remote access : The RPC server can be accessed remotely by clients on the internet. It is important to secure the RPC server to prevent unauthorized access. This can be done by setting up a firewall to restrict access to the RPC server port and using encryption to secure the connection.
+- Securing local access : By default, the RPC interface is accessible only to clients running on the same machine, and only when they provide a valid authentication cookie. Securing local access to the RPC server is crucial to prevent unauthorized use. Any program on your computer with access to the file system or local network could potentially gain this level of access. Additionally, other programs on your system might attempt to mimic an RPC interface on the same port as the node, potentially tricking you into disclosing your authentication credentials. Therefore, it is essential to use `neptune-core` for security-sensitive operations only on a computer where you trust all other installed programs.
 
-- Secure string handling : The RPC server accepts strings as input from clients. It is important to validate and sanitize the input strings to prevent injection attacks.
+- Securing remote network access: You can choose to let other computers remotely control `neptune-core` by configuring the `listen-addr` and `rpc-port` settings. These options are intended for use within secure private networks or connections that have been properly secured (e.g., via VPN, SSH port forwarding, or stunnel). **Avoid enabling RPC connections over the public Internet**. While Bitcoin Core's RPC interface includes authentication, it lacks encryption, meaning your login credentials are transmitted in plain text and could be intercepted by anyone on your network path. Furthermore, the RPC interface is not designed to handle arbitrary Internet traffic securely. Exposing it to the Internet—even through methods like a Tor onion service—could leave you vulnerable to unforeseen risks.
 
 ## RPC Methods