Merge pull request #5629 from esphome/bump-2025.11.0b3

2025.11.0b3

Author: jesserockz

.gitignore

@@ -19,6 +19,9 @@ __pycache__/
 *.py[cod]
 *$py.class
 
+# Release notes generator cache (persistent PR cache + version-specific data)
+script/cache/
+
 venv
 
 *.DS_Store

content/changelog/2025.11.0.md

@@ -75,9 +75,13 @@ api:
     If you need a key, you can use the key below; it is randomly generated by your browser each time this page loads:
 
 {{< api-key-input >}}
+
 > [!NOTE]
 > Support for configuring the encryption key on-the-fly will be implemented in a future release of Home Assistant.
 
+> [!TIP]
+> For comprehensive security guidance including API encryption best practices, see the [Security Best Practices](/guides/security_best_practices) guide.
+
 - **actions** (*Optional*, list): A list of user-defined actions. See [User-defined Actions](#api-device-actions).
 - **batch_delay** (*Optional*, [Time](/guides/configuration-types#time)): The delay time for batching multiple state update messages
   together to reduce network overhead. Lower values send updates sooner but use more network packets,

content/components/api.md

@@ -100,6 +100,9 @@ mqtt:
 - **certificate_authority** (*Optional*, string): Only with `esp-idf`. CA certificate in PEM format. See
   [TLS with esp-idf (esp32)](#mqtt-tls-idf) for more information.
 
+> [!TIP]
+> For MQTT security recommendations including TLS configuration, see the [Security Best Practices](/guides/security_best_practices#mqtt) guide.
+
 - **client_certificate** (*Optional*, string): Only on `esp32`. Client certificate in PEM format.
 - **client_certificate_key** (*Optional*, string): Only on `esp32`. Client private key in PEM format.
 - **skip_cert_cn_check** (*Optional*, bool): Only with `esp-idf`. Don't verify if the common name in the server

content/components/mqtt.md

@@ -29,6 +29,10 @@ ota:
 ## Configuration variables
 
 - **password** (*Optional*, string): The password to use for updates.
+
+> [!IMPORTANT]
+> Always use strong, unique passwords for OTA updates. See the [Security Best Practices](/guides/security_best_practices#ota-password-protection) guide for more information.
+
 - **port** (*Optional*, int): The port to use for OTA updates. Defaults:
 
   - `3232` for the ESP32

content/components/ota/esphome.md

@@ -123,6 +123,9 @@ web_server:
     password: !secret web_server_password
 ```
 
+> [!IMPORTANT]
+> Always enable authentication when using the web server. See the [Security Best Practices](/guides/security_best_practices#web-server-authentication) guide for recommendations.
+
 Use version 1 user interface:
 
 ```yaml

content/components/web_server.md

@@ -35,6 +35,9 @@ wifi:
   password: !secret wifi_password
 ```
 
+> [!TIP]
+> For WiFi security recommendations including `min_auth_mode` configuration, see the [Security Best Practices](/guides/security_best_practices#wifi-security) guide.
+
 {{< anchor "wifi-configuration_variables" >}}
 
 ## Configuration variables

content/components/wifi.md

@@ -652,6 +652,10 @@ The {{< docref "/components/deep_sleep" "Deep Sleep" >}} component needs to be p
 configuration when the device is first added to Home Assistant. To prevent entities from appearing as "unavailable",
 you can remove and re-add the device in Home Assistant.
 
+## How do I secure my ESPHome devices?
+
+See the comprehensive {{< docref "security_best_practices" >}} guide for detailed recommendations on API encryption, OTA passwords, network segmentation, physical security, and more.
+
 ## See Also
 
 - {{< docref "/index" "ESPHome index" >}}

content/guides/faq.md

@@ -241,3 +241,4 @@ Logging level can be set with the env var `ESPHOME_LOG_LEVEL` (default is `INFO`
 - {{< docref "cli/" >}}
 - {{< docref "/index" "ESPHome index" >}}
 - {{< docref "getting_started_hassio/" >}}
+- {{< docref "security_best_practices" >}}

content/guides/getting_started_command_line.md

@@ -197,3 +197,4 @@ a new issue on the [GitHub issue tracker](https://github.com/esphome/esphome/iss
 
 - {{< docref "/index" "ESPHome index" >}}
 - {{< docref "getting_started_command_line/" >}}
+- {{< docref "security_best_practices" >}}