I see here (Home Assistant isn't served correctly for base_url with a path · Issue #21113 · home-assistant/core · GitHub) that in the past the idea of a configurable base url has been discussed and dismissed. I also see that there seems to be an impasse on the HA companion app working via CloudFlare tunnels that enforce reasonable security policies like oauth / login with Google accounts (Cloudflare Access and the Android App).
I think that supporting a fully configurable base_url could provide some relief for the HA/CloudFlare folks… by simply generating a long url path that is difficult to guess, this serves as a form of a password. Since the transport is TLS encrypted, there isn’t much of a threat of external parties learning the URL path. Security by obscurity, but I’d be happy enough to have this so I could use a CF tunnel with no complications of extra security prompting that it currently cannot cope with. This is how many cloud based apps secure some assets (google photos takes this approach, i believe).
The dismissal of this pointed to a security policies link that is now broken, so I was unable to read about the reasoning behind any such policy. Seems like a well-written application would be portable to any valid and configured url-space.
Thoughts?