►
From YouTube: Secure your IPFS website - Thibault Meunier
Description
For wallets, decentralized exchanges, DeFi insurer, or DAO management, most IPFS applications are relying on HTTP. This setup allows applications to be accessible by current web users, with minimal modifications. It also enables developers to leverage common web engineering practice. However, these HTTP endpoints have to be secured, and trust provided by the decentralized-network has to be carried to end-users. HTTPS is not enough. This talk will present the setup of a browser based IPFS app.
A
Yes,
so
today,
I
will
discuss
how
you
can
secure
your
ipfs
website
and
so
focusing
on
the
kind
of
like
interaction
between
ipfs
and
http,
quick
presentation
for
myself
before
so
I'm,
a
research
engineer
at
cloudflare
working
on
like
this
distributed,
Web
projects
or
ipfs
ethereum,
along
with,
like
all
the
research
projects,
tend
to
like
croissant,
which
might
sound
cliche
but
like
they
come
a
lot
in
this
presentation.
So
you
should
just
know
there
are
no
croissants
in
Lisbon.
A
Sadly,
at
least
like
there
are
brioche
croissant,
but
no
like
French
croissant
and
like
the
unknown,
like
offered
in
here
today,
so
well
for
next
time.
I
think
so.
Just
quick
introduction
for
like
what
ipfs
is
I
think
you
all
know
but
like
let's
just
see
a
bit
more.
How
like
these
interact
from
like
like
a
request
pattern.
So
imagine
you're,
like
I,
don't
know
in
Paris
and
so
you're,
just
like
sitting
in
giraffe,
you
like
come
and
say:
hey
like
like
I
would
like
a
croissant
and
yeah.
A
Usually
the
waiter
will
come
back
and
say:
hey
like
you,
have
a
croissant
and
you
really
need
to
make
sure
if
you're
in
places
you
go
like
that,
you
have
the
right
croissant,
and
so
it's
like
kind
of
similar
to
ipfs.
You
request
the
CID
and,
like
you
just
check
that,
like
the
content,
you
have
match
he's
a
CID,
because
otherwise
you
might
end
up
with
something
that
looks
like
a
croissant.
But
it's
not
really
the
thing
you
were
expecting
and
yeah.
A
So
that's
kind
of
like
why
we
have
ipfs
just
to
make
sure
that
you
have
the
question
you
expect
and
so
just
to
give
you
like
a
full
plan
of
like
what
we're
going
to
discuss
is
like
we're
going
to
start
quickly
with
like
a
presentation
of
like
ipfs,
with
like
slightly
more
technical
diagrams,
then
how
you
can
serve
the
content
that
you
have
on
ipfs.
We
then
go
through
how
you
can
secure
a
request
for
that
content.
A
A
The
first
thing
you
need
to
have
is
the
IP
address
for
example.com,
because
well
there's
nothing
to
be
reached
for
example.com,
so
we
use
a
DNS
resolver
that,
like
will
return
you
an
IP
address
such
as,
like
one
two,
three
four,
and
once
you
have
that
IP
address.
You
will
make
an
HTTP
request
to
the
AP
address,
saying
that
you're
looking
for
example.com
and
it
will
return
you
the
content
and
yeah.
That's
fine!
You
have
your!
You
have
your
home
page
and
everything's
good
on
ipfs.
A
It
works
slightly
differently,
but
in
a
way
it's
similar.
So,
instead
of
like
your
web
browser,
you
have
your
ipfs
node
and
when
you
request
content
by
CI,
DTD
ipfs,
no,
it's
very
similar
to
like
example.com.
You
don't
know
where
to
look
for
the
content.
The
first
thing
you
will
do
is
to
resolve
the
content
to
your
provider.
That
will
be
able
to
have
it.
A
So,
like
you
can
query
the
DHT,
which
would
say
hey
for
cid1234,
you
should
reach
out
to
like
vsphere
or
this
IP
address,
and
then
you
request
the
content
from
like
DSP
of
this
IP
address
and
because
the
way
cids
are
constructed,
you're
also
able,
as
you're
receiving
the
content
to
validate
that.
That
was
the
content.
You
were
expecting
and
yeah.
That's
it.
You
have
now
like
an
ipfs
request.
A
So
how
do
you
serve
content
and
I
really
focus
on
HTTP
because,
like
I
have
cloudflare,
that's
like
the
most
use,
we've
seen
for
ipfs
and
really
I
think
has
it
been
touched
on
by
like
the
previous
speakers,
it's
mostly
about
like
interoperability
like
there's,
no
magic
storage,
nothing
happened
like
you
can
like
use
like
one
Gateway.
So
now,
PFS
gateways,
like
most
of
you,
should
know
and
like
I,
would
like
just
briefly
touch
on
that
is
an
HTTP
interface
to
the
ipfs
network.
So
that
means
using
the
HTTP
protocol.
A
You
will
be
able
to
access
content
that
is
like
on
a
totally
different
network
and,
like
this
case,
ipfs
a
Gateway.
So,
in
our
case,
like
clefler
will
like
Leverage
like
an
HTTP
cache,
which
is
like
standard
web
technology
to
make
content
and
retrieval
faster,
finally
to
retrieve
content.
Cloudflare
is
also
running
and
operating
a
set
of
ipfs
nodes,
so
it
can
talk
ipfs
language
and
it
makes
the
interface
between
HTTP
and
ipfs.
A
We
want
to
create
an
ipfs,
Gateway
and
I
won't
do
that
as
a
live
demo,
because
I
don't
know,
Wireless
sometimes
breaks
like
as
pictures
for
cloudflare.
How
that
will
work,
you
would
go
on
our
website.
You
would
go
like
register
like
your
domain
name
Etc
and
then
you
like
end
up
on
the
web3
tab
and
you
just
want
to
create
a
gateway.
A
A
This
is
a
DNS
link.
Gateway
I
won't
touch
on
like
what
DNS
link
is,
but
in
short,
it's
a
way
to
associate
a
DNS
domain
to
a
CID
which
is
an
ipfs
content
and
because
we
said
we
want
a
g
nestling
Gateway
we're
also
pointing
it
to
some
content
that
is
on
ipfs,
and
so
in
this
case
it's
the
like
complex
line.
You
see
at
the
end,
slash
ipfs,
slash,
Buffy,
something
and
that's
it.
A
If
you
were
to
go
to
like
ipfscam.com.world
in
web
browser,
you
would
see
this
croissant
picture
and
so
from
ipfs
from
HTTP.
That's
it!
The
question
is:
that's
good.
You
have
like
the
picture
Etc.
Is
it
security?
It's
private
like?
What's
the
difficulty
and
like
it's
like
the
the
few
talks
before
have
touched
on,
it
might
be
a
bit
more
complex
than
just
setting
up
a
Gateway
and,
like
livid
be
so.
A
How
do
you
secure
your
request
and
mainly
I
want
to
like
say
that,
like
we're,
gonna
piggyback
a
lot
on
the
existing
web
infrastructure
because,
like
HTTP,
has
to
deal
with
like
these
problems
for
like
a
long
time?
And
so
ideally
we
don't
reinvent
the
wheel.
We
leverage
the
tools
that
exist
already
to
like
make
sure
our
content
is
still
secure.
A
So
in
terms
of
like
brief
introduction
to
like
standard
web
Security
in
like
the
three
points
with
mentioned
here,
the
first
thing
we
want
for
a
domain
name
is
an
x509
certificate,
also
referred
to
as
an
SSL
certificate,
which
is
a
that
protocol
for
some
time.
But
the
idea
is,
like
you,
have
a
domain
name,
and
so
your
web
browser
should
be
able
to
authenticate
that
domain
name
when
it
receives
it,
so
that
there's
no
phishing
attempt.
A
So
that's
one
of
the
things
in
ipfs
Gateway
is
providing
so
that,
like
from
the
web
browser
you're
able
to
like
identify
the
source
of
the
request,
then
a
second
point
that,
like
we
really
want
to
have,
is
to
have
some
course
rules,
and
these
can
be
specified
either
Gateway
level.
The
idea
is
like
when
you're
serving
in
the
croissant.
You
can
like
serve
it
to
the
whole
world.
But
do
you
want
the
croissant
to
be
accessed
from
another
website?
A
Finally,
ipfs
provides
like
immutable
content,
which
is
great
because,
like
you
can
just
access
the
CID,
you
can
cache
it
and
you
can
like
validate
it.
The
thing
is,
sometimes
you
don't
really
know
if
the
CID
is
there
you
might
want
to
like
do
some
redirection
if
you
like,
having
like
a
website
or
folders,
and
so
one
thing
which
is
interesting
now
like
on
ipfs,
is
you
can
use
like
custom
redirect
pages?
A
So
if
you
have
a
website-
and
you
have
like
sometimes
some
pages
that
like
will
not
be
accessed,
you
can
like
just
set
up
a
custom
redirect
so
like
you
have
a
custom
404
page
or
you
can
have
like
you,
redirect
people
to
your
home,
page
and
Etc,
and
so
it's
kind
of
a
way
to
keep
like
the
immutability
of
the
CID
and
benefit
from
like
having
like
kind
of
like
mutability
and
like
Dynamic
content,
be
served
on
ipfs.
A
The
main
question
is
like:
why
do
we
want
to
leverage
HTTP
to
serve
ipfs?
There's?
Definitely
like
kind
of
like
this.
Interaction
between
the
two
content
can
be
tricky,
but
one
of
the
main
benefit
of
using
https
is
a
lot
of
tooling,
like
if
you're,
using
like
a
normal
HTTP
and
like
Edge
Network,
you
like
can
have
rate
limiting
like
it's
just
built
in.
You
can
also
benefit
from
like
custom
response
header,
so
you
can
have
I
know
like
pass
some
more
information
through
headers.
You
can
pass
some
course
rules.
A
You
can
have
like
some
access
control
and
all
that
is
built
in
the
HTTP
Tooling.
In
addition,
of
course,
because
you're
using
like
a
normal
HTTP
cache
and
like
kind
of
like
a
glorified
nginx,
you
can
set
up
your
own
cache
rules,
and
so
you
will
control
how
often
people
should
cache
content
content
in
the
browser.
How
often
the
content
should
be
like
for
how
long
the
content
should
be
cached
at
the
CDN
level
Etc?
A
Finally,
you
also
benefit
from
like
image
resizing,
for
instance,
which
may
be
like
very
beneficial
for
your
content
as
it's
accessed
through
ipfs.
If
you
want
another
to
make
a
thumbnail
or
if
you
want
to
like
just
make
sure
that,
like
the
content
which
is
static
on
ipfs,
has
some
slightly
extra
features,
of
course,
with
the
HTTP
tooling,
you
can
like
also
benefit
from
having
a
b
testing,
like
all
the
redirect
analytics.
Etc
I
won't
touch
on
like
all
of
that,
but
basically
you
can
think
of.
A
If
you
use
HTTP,
it
comes
already
with
a
lot
of
tooling
I.
Just
want
to
mention
something
quick
as
a
non-harable
mention,
because
I
do
think
the
one
of
the
things
you
lose
when
you
use
HTTP
for
ipfs.
Is
you
don't
have
natively
the
validation
of
the
CID,
because
HTTP
relies
mainly
for
like
https
on
x509,
but
you
don't
have
like
the
Integrity
of
the
content
and
so
interesting
on
the
web.
You
have
something
which
is
called
sub
resource
Integrity.
A
So
that
means
like
when
you
have
an
HTML
page,
you
can
link
to
all
the
subcontent
that
and
like
provide
the
hash
so
that
you
know
the
sub
content
that
you
have
would
actually
be
the
one
that
you
expect
and
so
ipfs
could
work.
Similarly,
so
like
sub
resource
Integrity,
the
good
thing
is
like
that
built-in
browser
there's
like
three
hashes
algorithms
that
you
can
have,
but
not
fully
compatible
with
ipfs
for
various
reasons,
and
the
main
reason
is
like
the
sub
resource.
A
Integrity
is
just
a
hash
over
the
full
content
and
like
doesn't
support
like
DAC,
building,
Miracle
trees
and
like
just
evasive
features
that
ipfs
might
have
as
a
quick
example.
If
you
have
a
row
node,
you
can
actually
convert
an
ipf
scid
into
like
a
sub
resource.
Integrity
compatible
hash,
and
so
this
is
a
command
that
we
would
use.
It's
just
a
brief
mention
because,
like
for
now,
it's
not
practical
but
definitely
I.
Think
as
the
the
content
ipfs
gets
more
weight
and
gets
integrated
in
browsers,
maybe
like
more
standard.
A
That's
some
things
that
you
could
expect
to
be
like
some
kind
of
a
bridge
between
like
the
existing
web
and
like
the
web.
We
could
could
have
in
the
future.
A
Finally,
I've
talked
a
lot
about
gateways.
The
thing
is
I
didn't
say
how
you
can
provide
content
to
the
network
and
so
kind
of
the
usual
or
historical
way.
To
do
that,
is
you
run
your
own
node?
You
have
content
on
your
site
and
you
expose
it
to
the
ipfs
network
once
again,
there's
no
magic.
So
how
can
that
work
and
I
will
really
mention
once
again
using
the
HTTP
tooling?
A
So
you
might
notice
it's
very
similar
to
a
Gateway
pattern
and
Gateway
diagram,
because
you
can
expose
your
node
to
the
Swarm
via
like
a
protocol
built
on
top
of
HTTP,
which
is
like
websocket,
and
the
good
thing
is
like
instead
of
like,
when
you
will
ask
people
to
connect
to
your
node,
you
will
say
Hey
you
can
connect
to
like
my
address
to
my
domain,
and
this
will
all
pass
through
http.
A
The
good
thing
is,
you
benefit
from,
like
all
the
tools
we've
seen
before,
like
you
have
like.
Caching,
you
can
have
access
control
and
the
great
thing
is
like
you're,
the
one
providing
the
ipfs
content
through
HTTP.
So
in
a
way
you
just
have
like
the
good
of
Both
Worlds,
like
you
benefit
from,
like
all
the
tooling
that
already
exists
for
and
has
been
built
to
build
the
web.
We
know
today
and
you
can
just
extend
it
with
the
benefits
of
ipfs.
A
So
if
you
want
to
start
an
ipfs
note
that
like
is
exposed
through
websocket,
how
do
you
do
that?
So,
first
of
all,
you
download
Kubo
your
favorite
implementation
of
ipfs.
A
You
do
ipfs
in
it
just
to
like
have
a
private
key
Etc,
and
then
you
need
to
tune
slightly
the
configuration
to
say
that,
like
the
transport
you
would
be
using
to
expose
your
node
is
web
sockets,
so,
like
I
just
say,
hey
like
for
the
Swarm
I
would
use
like
the
websocket
transports,
and
this
is
the
address
I
would
be
using.
So
you
notice,
the
address
is
like
ip4
and
ip6
just
like,
and
the
broadcast
address
just
so
when
a
request
will
come
via
websocket
to
our
node.
A
A
So
that's
specifically
to
cloudflare,
but
I
have
a
dedicated
tunnel
to
say:
hey
like
when
I
receive
a
request
for
like
ipfs
Camp,
croissant
World.
It
should
pass
by
my
nodes
and
that's
it.
You
can
add
content.
If
anything,
you
can
also
advertise.
If
you
have
like
still
using
DNS,
you
can
say
hey
so
like
your
PID
would
be
slash,
DNS,
slash,
node.ipfscamp,
dot,
press
or
not
world
and
the
websocket,
and
that's
it
you're,
just
using
HTTP
tuning
to
serve
ipfs
content.
A
The
main
question
is:
why
would
we
want
such
a
particular
setup
and
not
just
do
ipfs
in
it
ipfs
Daemon,
and
that's
it
one
of
the
reason
it
integrates
directly
with
browsers
so
ipfs
interaction
with
browsers
is
still
like
still
has
a
way
to
go,
but
definitely
that's
one
of
the
way
you
could
do
that
is
like
you
expose
your
node
directly
to
the
web,
browsers
because
you
speaking
HTTP
you're
speaking
like
web
sockets,
and
so
that's
protocols
which
already
exist.
You
also
benefit
from
having
like
an
esophage
certificate.
A
So,
like
you,
don't
have
to
worry
about
the
word
pki
in
this
setup,
as
I
mentioned,
it's
built
on
top
of
HTTP,
so
you
benefit
from
like
all
the
two
links
that
you
have:
access,
control
rate,
limiting
and
Etc
and
analytics.
And
finally,
in
terms
of
like
networking
from
your
node
perspective
is
very
simple
because,
like
you
would
open
a
tunnel
to
an
edge
Network,
so
you
only
have
like
one
egress
rule
to
open
like
on
a
firewall.
You
would
like
just
reach
out
to
this
Edge
Network
and
that's
it.
A
You
have
like
no
Ingress
rule
to
like
worry
about
know
the
egress
pattern
so
like
from
like
Network
perspective.
It's
just
easier
I
want
also
to
touch
on
another
topic
which
is
like
naming
and
so
like
through
all
this
presentation,
I've
used
croissant.world
so
already
dot
world
is
a
weird
TLD,
but
that's
how
the
DNS
work
and
yeah
I've
used
for,
like
all
the
node,
the
providing
the
Gateway
always
using
class
or
not
world,
and
it's
like
one
name
to
serve
them
all.
A
It's
like
just
like
DNS
name,
but
the
main
question
we
at
like
ipfs
camp
and
like
more
like
in
a
decentralized
period.
Why
couldn't
I
choose
like
an
ipns
or
like
something
different,
so
I
just
make
a
small
comparison
table
in
terms
of
like
what
DNS
provides
and
what
ipns
provides,
and
so
they
are
very
similar
in
terms
of
like
what
they
provide,
making
slightly
different
choices
that
like
various
levels,
so
in
terms
of
the
name,
the
name,
the
ipns
name,
is
just
the
hash
of
a
public
key.
A
Let's
put
it
like
this,
even
though
it's
slightly
more
complicated
and
that
leads
to
names
which
are
harder
to
pass
while
the
DNS
name
is
just
labels
which
have
been
standardized
either
ATF,
which
are
more
easily
human
readable,
even
though
Studies
have
shown
that
like
it
could
also
be
hard
to
pass.
A
The
main
thing
I
think
that,
like
ipns
gets
right
is
like
all
over,
like
the
recalls
are
always
signed,
like
with
like
a
private
key
of
the
user
and
so
like,
because
the
name
is
directly
the
public
key.
You
just
know
that
the
records
that
you're
receiving
are
actually
the
recorded
like
were
signed
by
the
one
owning
the
domain
and
DNS
has
something
like
that.
It's
called
DNS
stack
and
the
good
thing
with
DNS
like
it
does
something
very
similar
you
can
have
like
delegation
of
like
various
labels.
A
You
also
have
signatures,
and
so
you're
also
able
to
authenticate
the
owner
of
a
certain
domain.
The
transport
for
like
ipns
DNS,
are
different.
Ipns
like
leverages
technologies
that,
like
the
ipfs
ecosystem,
has
been
leveraging
so
like
ght
and
Pub
sub
DNS
is
over,
like
UDP
TCP,
HTTP,
obvious
HTTP.
If
you
want
some
more
privacy,
the
trust
anchor
is
different.
A
There's
no
real
trust
tanker
for
local
pns,
because
you're
just
like
verifying
that,
like
the
record
that
you're
getting
has
a
signature
which
matches
the
name
of
the
domain
while
for
DNS,
usually
you
would
leverage
like
ins
signatures,
and
so
you
have
like
Ayana
and
then
the
trust
falls
down
from
there
in
terms
of
standardization
I'm
glad
to
have
modified
this
slide
yesterday,
because
there's
now
a
spec
for
ipns,
so
you
can
like
go
on
GitHub
and
read
it
for
DNS.
It's
been
standardized
over
like
many
rfcs
at
the
ietf.
A
Finally,
in
terms
of
Integrations,
for
now,
like
ipns
is
more
targeted
like
the
ipfs
ecosystem,
and
DNS
is
just
everywhere,
so
you
could
use
one
or
the
other
just
for
like
internet
and
like
convenient
of
views
in
all
these
like
presentation,
I've
leveraged
DNS
and
that's
it
so.
Finally,
how
like?
What
do
we
learn?
What
did
we
learn?
Sending
ipfs
is
definitely
like
an
evolution
of
HTTP
in
terms
of
content.
Providing
but
like
HTTP,
provides
a
lot
of
tooling
that
you
can
already
leverage
to
like
still
better
serve
your
ipfs
content.
A
Names
are
hard,
and
this
is
like
at
like
various
levels
and
making
things
like
human
readable
for
ipfs
may
require
some
work
to
like
keep
the
trust,
keep
like
the
decentralized
spirits
of
the
network,
but
there
are
tools
that,
like
in
movement
that
are
going
like
us
through
that
and
finally
one
thing
I
would
really
like
is
like
just
browse
the
integration
of
ipfs,
it's
being
like
built
step
by
step
and
definitely
I
think
this,
like
movement
being
done
on
both
the
browser
side
and
ipfs
side.