Security
Network Model
PiEEG Server is designed for local network use — your Raspberry Pi streams EEG data to devices on the same WiFi/LAN.
EEG data is sensitive biometric information. Do not expose ports 1616/1617 to the public internet without additional security layers.
Built-in Protections
| Layer | Protection |
|---|---|
| Authentication | Optional 6-digit code with --auth |
| Rate limiting | Brute-force protection on auth endpoint |
| HMAC timing-safe | Prevents timing-based code guessing |
| HttpOnly cookies | Session tokens not accessible to XSS |
| Per-restart codes | Fresh access code on every server start |
| Webhook cooldowns | Server-enforced rate limiting on HTTP callbacks |
Recommendations
- Enable
--authon shared networks - Use a VPN or SSH tunnel for remote access
- Keep the server updated (
pieeg-serverself-update from dashboard) - Review webhook URLs — they relay data to external services
- For production/research use, consider a reverse proxy (nginx/caddy) with TLS