-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a Warning in UI if the web admin password is not set #12828
Add a Warning in UI if the web admin password is not set #12828
Conversation
I know there are people jumping on the security bandwagon and want to add passwords to every item on the internet. I hate security. It has always been a showstopper for me. I liked tasmota for being as open as possible and watched over the years with some dismay hidden passwords being introduced. I don't like this PR as it now even forces me to use a web password on my own local intranet. I don't use MQTT passwords and don't want to use webpage passwords either. As it stands I won't merge this. There must be a better way for resellers to force their users to use a password without bothering me. NOTE: Perhaps:
|
Yes, I agree. Let's find a better way for this. I did this PR following the advices in #6767. |
Is it local with this API implementation? :-D
I dont use MQTT passwords too, because i have only trusted devices in my LAN. But: sometimes i visit untrusted websites from a browser inside my LAN - thats the bridge, which could open my garage door or modify all firmware on every tasmota device in my LAN. Well, i've setup my passwords for the Web-API, but most users out there never heard about this issue. And the issue is public. Please print the warning (maybe with a "dismiss" button, whatever). It's really an ugly bug... if my next mate, never heard about cross-site attacks, using Tasmota without web-password, i could simple send him a link and take control over his whole house!
Yes, please! ;-) |
…ocking HTTP web commands (#12828)
Retry with latest change. It won't tackle every attack but I think the basic functionality as demonstrated by your In fact all HTTP requests not coming from the device are disabled this way. If users want to use HTTP web commands they have to enable Let me know what you think. EDIT1: Bugger. This fails initial setup. I will revert the change and do further testing. |
Add command ``SetOption128 1`` disabling web referer check default blocking HTTP web commands (#12828)
Another try. See above. |
Description:
Add a Warning in Tasmota User Interface if the web admin password is not set.
To set the web admin password, you can go to CONFIGURATIONS -> CONFIG OTHER -> Web Admin Password.
Or
In the console by
webpassword
command.Then, after restart, your browser will ask for Username and Password. By default the username is
admin
. The username can be changed by using the keyWEB_USERNAME
in the user_config_override.h file.As the password is for securing the HTTP API and the web interface, this warning is not published by MQTT nor Serial. Only in the web UI.
This continues the PR: #12827
Related issue (if applicable): #6767
Checklist:
NOTE: The code change must pass CI tests. Your PR cannot be merged unless tests pass