Security

Token security

Each host has a 64-character update token that grants anyone who holds it the ability to update that host's IP address. Treat tokens with the same care you would a password.

• Never commit tokens to source control — use environment variables or a secrets manager instead.
• Never share tokens in public forums, chat rooms, or screenshots.
• Use one host (and therefore one token) per device or location, so you can rotate individually.
• If you suspect a token has been exposed, regenerate it immediately from the dashboard.

The recommended pattern for scripts and containers is to read the token from an environment variable rather than hard-coding it in the command or config file:

# Set once in your shell profile or .env file (never commit this file)
export NOVA_TOKEN=your-64-char-token-here

# Reference it in the update command — the token never appears in scripts
$ curl -s "https://novadns.io/api/update?token=$NOVA_TOKEN"

Credential rotation

You can regenerate a host token at any time from the dashboard. Navigate to your host, open Host Settings, and click Regenerate Token. The old token is invalidated immediately.

Plan your rotation to minimise downtime:

• Generate the new token in the dashboard but do not save yet.
• Update the token in every client that uses the host (router, script, container).
• Confirm all clients are configured, then click Save to invalidate the old token.
• Check the update log in the dashboard to confirm a successful update with the new token.

Your account password can be changed under Settings → Account → Change Password. Changing your password does not affect host tokens — they are independent credentials.

Multi-factor authentication

NovaDNS supports TOTP-based multi-factor authentication (Google Authenticator, Authy, 1Password, Bitwarden, and any standard TOTP app). Enabling MFA protects your account even if your password is compromised.

To enable MFA, navigate to Settings → Security → Two-factor authentication and follow these steps:

• Scan the QR code with your authenticator app, or enter the manual setup key.
• Enter the 6-digit code from your app to verify the setup is working.
• Save your backup codes somewhere secure — they are single-use codes for account recovery.
• Click Enable to activate MFA on your account.

Google and Microsoft OAuth logins delegate MFA enforcement to those providers. If you sign in via OAuth, enable MFA at the provider level for equivalent protection.

Webhook secrets

Every webhook delivery is signed with an HMAC-SHA256 signature over the request body, using your webhook's signing secret. The signature is sent in the X-NovaDNS-Signature header.

Always verify the signature before processing a webhook event. A minimal verification looks like this:

import { createHmac } from "crypto"

function verifySignature(
  body: string,
  secret: string,
  signature: string
) {
  const expected = "sha256=" + createHmac("sha256", secret)
    .update(body).digest("hex")
  return expected === signature
}

Rotate webhook secrets periodically, or immediately after a potential exposure. To rotate, go to Settings → Webhooks, select the webhook, and click Regenerate Secret. Update your server with the new secret before saving to avoid a gap in verification.

• Always reject requests where the signature is missing or does not match.
• Use a timing-safe comparison function (e.g. crypto.timingSafeEqual) to prevent timing attacks.
• Never log the raw signature header alongside the secret.

HTTPS only

All NovaDNS endpoints — including the update API and the DynDNS-compatible endpoint — require HTTPS. Plain HTTP requests are rejected to prevent tokens from being transmitted in cleartext.

Ensure your client is configured to use HTTPS:

$ curl "https://novadns.io/api/update?token=YOUR_TOKEN"

# HTTP is not accepted
$ curl "http://novadns.io/api/update?token=YOUR_TOKEN"

If your router or embedded device cannot verify TLS certificates (common on older firmware), check for an option to install updated CA certificates rather than disabling certificate verification — sending tokens over an unverified TLS connection negates the security benefit.

Team access control

NovaDNS teams use role-based access control with three levels:

• Assign the minimum role required for each member's function.
• Remove members promptly when they leave the organisation — go to Settings → Team → Members and click Remove.
• Revoked members immediately lose access; any host tokens they configured will still work until rotated.
• After removing a member who had Admin access, audit your host tokens and rotate any they could have copied.

Monitoring

The update log records every IP change received for each host, including the timestamp, source IP of the request, and the new address that was set. Reviewing this log helps you detect unexpected or unauthorised changes.

Signs that warrant investigation:

• Updates arriving from a source IP you do not recognise (could indicate a leaked token being used by a third party).
• Unusually frequent updates — legitimate clients update every few minutes at most.
• IP changes at unexpected times, such as in the middle of the night when the device should be idle.
• Multiple different IPs being set in a short window, which may indicate a misconfigured client or a replay attack.

Access the update log by opening a host in the dashboard and selecting the Update Log tab. If you observe suspicious activity, rotate the host token immediately and investigate the source.