I just read through the PR to implement HTTP headers and the reply from the maintainers actually shocked me.
@balloob said it “Supporting these kind of remote connections require hacks, workaround and complicates the maintenance of our codebase. Therefore we will not be able to accept this pull request. Users can continue to use a browser to access their Home Assistant instance if they are using CloudFlare or other similar solutions.”
Seeing this is honestly shocking from Home Assistants developers. They essentially said “either open ports on your router, use a VPN or use Home Assistant Cloud (which is essentially just as bad as opening a port on my router)”. I do pay for Nabu Cassa, but I don’t use HA cloud because it’s not secure enough for me.
Will HTTP headers ever be allowed, or do you just not want your users to securely access their home assistant instances remotely?
Well, yes it is. Since my Home Assistant is behind EntraID account with MFA enabled. I would say that is secure. The reason I need HTTP headers is to support Cloudflare Service Tokens, which can be used to bypass that level of authentication for devices attaching the ID and secret key in the header. I am still using https, i just want to be able to add headers to the https request. This is a basic layer of security
I would say that this is an inaccurate and unfair summary. They have not said this at all.
You could use a cloudflare tunnel instead, and by implementing a number of CF firewall rules you can mitigate a lot of security risks. Myself I’ve only allowed residential ISP ASNs for my home country, and not once have I had anything malicious pass through. That’s been my setup for 3 or 4 years now.
There are two sides to this though, and as Home Assistant (appears to) target the average user, one has to ask, what is the likelihood of a user properly configuring CF’s zero trust with an enterprise IDP such as Entra ID.
I think really some form of native RBAC / SSO login support is what you are after.