/local (www) dir authentication

I’m using /local to serve javascript modules for lovelace as well as entity images for people and devices.

I’ve been setting up external access today and noticed that if I’m not logged into HA I can access files shared through this directory. Is there some config to protect it or is there a better place to store files that I want to keep private such are the entity images?


That is apparently by design

That seems strange. I guess the best way around this is to store private files elsewhere.

What does that mean?
I use that folder, what files can you access other than files put in that directory?

I can only access files that are stored in that directory but I’m looking for somewhere to store files that I don’t want publicly available like pictures used in the front end.

1 Like

I don’t think Lovelace can log into a private file storage system to display something like photos.
There might be a custom component but I haven’t heard of one.

1 Like

I remember someone mentioning “whitelisting” directories the last time a read a post similar to this one. I have never done this, so I’m not speaking from experience.

1 Like

Is this topic stil open? I noticed the exact same thing. Trying to do everything safe and get it secured. And then this came allong. At this point, I cant get any private picture to be visable… (stack, google drive, dropbox aren’t loading…) If anybody has an idea. Please share

I didn’t get anywhere with this unfortunately

I just checked my config and I don’t see any whitelisting anymore.
( I know I tried this once but found it not to matter in the end.)
I just started playing a white Noise file from my www directory and it works without it.
I do have to use my full SSL address to get it to cast to my Google Home’s successfully though.

Everything in the www folder is externally accessible without authentication. This is intentional.

Files served from the www folder ( /local/ url), aren’t protected by the Home Assistant authentication. Files stored in this folder, if the URL is known, can be accessed by anybody without authentication.


The option whitelist_external_dirs has been renamed to allowlist_external_dirs (for BS political reasons). However it should operate the same as before, for setting up a list of folders that can be used as sources for sending files. I believe that these are still protected, unlike the www folder.

If you’re looking to fetch external resources like images for use in HA, you should look at the (relatively new) allowlist_external_urls option.

1 Like

While you can access files in there without authentication, you cannot list the contents (with one caveat, see below). So you need to know the exact file name and/or subdirectory name. So just prefix your files with a random GUID, or put them into a subfolder named after a random GUID, like for example:


There is one security peculiarity though. If someone is scanning your local folder trying random names, they will get a 404 - not found if a folder does not exist. But they will get a 403 - forbidden if it does exist, allowing them to try scanning inside of it. So use long and random directory names to mitigate the risks of it being discovered.

Of course you can use any random character sequence if you don’t like GUIDs.