Hi, please someone help me understand the risk of the www directory.
I noticed on the documentation that it is ‘intentionally’ public so it can be accessed without authentication if you know the filename. So i was using it to store pictures of areas, person entities and other helpers.
I have some questions:
All pictures are basically exposed externally, what is a good practice to use another directory for the same purpose? areas, entity pictures, etc?
I was using it to store snapshots so the notifications can use them, can that be done with an authenticated directory ? how?
I noticed all the HACS stuff is there the ‘community’ directory. Which is now then exposed, what is the logic of putting HACS files there? why keep them there? It is a potential attack surface by guessing common HACS packages. Can i change this myself through HACS config or something?
Thanks, i am just paranoid. My HA is not exposed to the internet, but i was planning to do it via nabucasa or cloudflare tunnel, but the situation remains.
This has been a point of contention for years now, tbh.
Yes, the www directory is open to the public with no authentication available. There are LOTS of forum posts and issues in github about this. Granted, directory browsing is disabled, but any file you put in that directory is available to the public as long as they know the file name. Some people has tried to get creative and stored things like snapshots and other files using GUIDs as a file name, etc, but that’s really just security by obfuscation, imho. Because of this, I store next to nothing aside from profile pics and a few audio files in the www directory.
The logic is so that the frontend can load scripts without requiring authentication and no, it’s not a setting you can change. As for an attack vector, sure, but at the same time, I NEVER allow any frontend/backend code on the server that I haven’t researched and/or read myself. Is it a perfect system? Heavens no, but it’s good enough that I’ve personally never seen a single forum post about someone’s HA instance getting hacked that way.
Now, to be fair, in all my years of using HA (which is quite a lot now), I have never heard of a single instance getting “hacked” through the www directory. IIRC, it’s pretty locked down in terms of jailbreaking out of it and the server doesn’t allow POST/PUT/PATCH/DELETE, etc calls to it. All it allows for are GET requests (I might be wrong about this, but I don’t think I am). It also doesn’t support FORM/MULTIPART uploads either (again, that I know of). So, getting a rouge script in there isn’t going to work either unless you have uploaded a script yourself.
On my own instance, I have been using nabu casa since it came out and I’ve never had an issue of anyone even attempting to log in to my instance, much less hack through the www directory.