Skip to content

Add security indicators for server URL connections#49

Merged
TheZupZup merged 1 commit intomainfrom
claude/improve-https-support-NoSzI
May 3, 2026
Merged

Add security indicators for server URL connections#49
TheZupZup merged 1 commit intomainfrom
claude/improve-https-support-NoSzI

Conversation

@TheZupZup
Copy link
Copy Markdown
Owner

@TheZupZup TheZupZup commented May 3, 2026

Summary

This PR adds security classification and visual indicators for server URL connections, helping users understand whether their connection is secure and whether they're connecting to a local or remote host.

Key Changes

  • ServerUrl security properties: Added three new computed properties to ServerUrl:

    • isSecure: Returns true for HTTPS URLs
    • isLocalNetwork: Detects local/private network hosts (IPv4 private ranges, loopback, link-local, IPv6 unique-local/link-local, localhost, and mDNS .local domains)
    • isInsecureRemote: Flags non-HTTPS connections to remote hosts as potentially insecure

  • Local host detection: Implemented isLocalHost() static method that classifies hostnames and IP addresses:

    • IPv4: Loopback (127.0.0.0/8), private ranges (10/8, 172.16/12, 192.168/16), link-local (169.254/16)
    • IPv6: Loopback (::1), unique-local (fc00::/7), link-local (fe80::/10)
    • Special hostnames: localhost and *.local (mDNS)

  • UI security hints: Added _SecurityHint widget (duplicated in both connect_screen.dart and settings_screen.dart) that:

    • Shows a warning icon and message when using HTTP with a remote host
    • Shows a "Secure connection" badge for HTTPS connections
    • Remains hidden while the user is typing an incomplete/invalid URL

  • Screen integration: Updated both Connect and Settings screens to:

    • Trigger UI updates on URL input changes via onChanged callback
    • Display the security hint below the URL input field

Implementation Details

  • The local host detection uses string prefix matching for IPv6 ranges and octet parsing for IPv4 addresses
  • Security hints only render for valid, complete URLs to avoid nagging users during input
  • The implementation uses the theme's color scheme (tertiary color for warnings, green for secure)
  • The _SecurityHint widget is currently duplicated across two screens; future refactoring could extract it to a shared location

https://claude.ai/code/session_01SRB4Jm1AYVYjmqFqKPFrHN

@claude
feat(app): warn on insecure HTTP for non-LAN backends
8680775 
Adds isSecure / isLocalNetwork / isInsecureRemote helpers to ServerUrl
and renders a small inline hint under the URL field on the connect and
settings screens: a "Consider using HTTPS for remote access." warning
when the user enters an http:// URL whose host is not loopback, a
private LAN range (10/8, 172.16/12, 192.168/16, 169.254/16), an IPv6
local address, localhost, or a *.local mDNS name; a "Secure connection"
badge when the URL uses https://. Plain HTTP to LAN hosts continues to
work without nagging.
@TheZupZup TheZupZup merged commit 91e91ee into main May 3, 2026
1 check passed
@TheZupZup TheZupZup deleted the claude/improve-https-support-NoSzI branch May 3, 2026 03:40
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8680775e40

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread app/lib/services/server_url.dart
Comment on lines +104 to +108
if (h.startsWith('fc') || h.startsWith('fd')) return true;
if (h.startsWith('fe8') ||
h.startsWith('fe9') ||
h.startsWith('fea') ||
h.startsWith('feb')) {
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Limit private-IPv6 prefix checks to IPv6 hosts

isLocalHost currently treats any hostname starting with fc, fd, fe8, fe9, fea, or feb as local, even when it is a normal DNS name rather than an IPv6 literal. For example, http://fdroid.org is classified as local and therefore isInsecureRemote becomes false, so the insecure HTTP warning is suppressed for a real remote connection. This undermines the security indicator’s core purpose for a non-trivial set of hostnames.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TheZupZup @claude