There are a number of Home Assistant services that are exposed on the internet that are easy to find through web crawlers. (i.e. Shodan)
Because the password is is optional, users often do not configure one for accessing Home Assistant remotely.
An approach to mitigate this problem is to require a password for IP addresses accessing the service that do not match the subnet the Home Assistant service. if a password is not supplied, then block access with a user friendly message telling them to set a password.
Otherwise, require a password to be set before the service can start.
Since i’ve just come across Home Assistant myself and have yet to become familiar with the codebase, I don’t have any means to contribute. But after some time i’ll be glad to create a Pull Request to help address this issue if no one else is willing.
Cheers
Roman