Is using the www folder (/local) a security risk?

I just realized urls that lead to /local in the www folder can be seen without someone logging in. On the bright side that should allow me to create a page viewable from the web to user not logged in to home assistant. Cool because I can share some sensor data openly. I think it’s safe as long as I don’t put anything sensitive in there. It occurred to me I probably shouldn’t use any common file names in there that I don’t want exposed. index.html for example would be easy to find for anyone used to standard naming conventions.

Am I overthinking this?

The directory cant be listed. So to display a file you have to know the exact file name. If you want to add a little extra security you can append a uuid, e.g.


That’s the first thing I did when I realized the implications. I don’t see any problems with this approach but I like to be cautions and ask questions to be safe. I’ve had my fair share of malicious traffic over the years.