Another recurring thing that trips up people when they start with HA:
config/www vs. URL:8123/local
What the heck… can it be made consistent? (even if it means a symbolic link or re-directing one to the other to preserve backwards compatibility)
Yes please! I remember this messing up my mind when I started out with HA!
4 Likes
Haha yea this is for sure a WTH moment. And then if you install HACS this process gets repeated finding out that now URL:8123/hacsfiles maps to /config/www/community.
Is there some technical reason the folder has to be called www or can it just be renamed to local? If it was just called local that would probably be fine even if it is still a little weird its in /config and not /share/local or just /local.
4 Likes
I could be wrong but I thought it was pretty simple.
Where a URL is called for use /local
Where a path is called for use config/www
Everything is simple in hindsight 
The points are that (1) it isn’t obvious, (2) it seems like it might be easily improved so that it is obvious.
4 Likes
Fairy nuff.
ideal WTH
I also think that it’s very weird for beginners.
1 Like
Did anyone look at the documentation for this feature?
https://www.home-assistant.io/integrations/http/#hosting-files
Guess not, since that is one of the more user-unfriendly pages in the docs, and one only knows where to find it if one knows one is looking for an item on hosting files.
Which already presumes a certain dev knowledge, a ‘normal’ user of Homeassistant shouldn’t need to have, for simply showing a picture of every user, or anything else for that matter…
this page alone proofs the WTH in this topic to be a very valid one. Voted +1!
1 Like
It should not really be used for user pictures anyway, since everything you place there are accessable without authentication.
yea, that is something to consider seriously indeed. What would your advice be on that subject?
edited the line in the post above
Get a time machine, install 115 and use the upload feature 
1 Like
?
not such a great contribution ;-(
I wasn’t jesting and now you are? You raise a serious issue, is it too much to ask for a serious suggestion how to mitigate that?
I was serious… Wait for 115.
Or install dev 🤷
I see, 115 was the future HA update, didnt see that, duh.
Still that is only for person images? And not for everything else we now store in www? Or?
cant wait to re-upload all that manually …
Person images only
ok, so let me rephrase my question: how to secure all non-person images and other files we now store in /config/www which are not protected with authentication
maybe we should add to this topic WTH, is /config/www unprotected?
To make things easy. You shouldn’t have any sensitive files in there and the full URL including the path and file name needs to be known to access it.
I still don’t get why this remark is made on the /www folder and not on any other folder in the config. Not really sure even to whom this applies, eg who can see the /www folder.
Would that be anyone browsing the network, or only people that are logged in via ssh? Or users using the webbrowser? But, how would they be able to browse the HA instance, if and when they wouldn’t be authenticated in the first place.
Who/what is this sentence referencing exactly? Not even sure a person image is sensitive, at least, depending on the circle of people able to see it. My household can browse where they like, they know what we look like 
Others might be scared, and I like to prevent that…