About security in Homarr
Homarr's initial purpose was, to run it only within your local network. For this reason, earlier versions lacked critical security measures.
Since 0.11.0
, Homarr has now a comprehensive secrets management system,
that protects you from having confidential data being leaked or misused.
This means, that no credentials are sent to clients, and they're kept on the server.
Versions prior to 0.11.0 are deemed to be unsafe and deprecated. We highly advise against running them.
However, we do not recommend that you directly expose Homarr with any authentication for the following reasons:
- The current password functionality is not safe, to be exposed on the internet. Users could be able to grab the password from your cookies - also known as cookie theft.
- Some endpoints potentially create a lot of network traffic. If a bot, indexer or web crawler floods your server with requests, it might clog up your network, since API routes have no rate limiting.
- The password functionality does not use best practices and could be brute-forced, also known as DDOS
- Some routes, which should require authentication, are not fully protected.
For these reasons, we always recommend to secure your Homarr with one of the following choices, if you plan to expose it to the internet:
- Authelia
- Any SSO / Proxy Authenticator
- Two factor authentication
- Any tunnels / VPN (like Cloudflare, Headscale, Wireguard, IPSEC, OpenVPN, ...)
Do not use Basic Authentication in Nginx or similar proxies, as they are deemed to be unsecure and can easily be brute forced.
We know, that this topic is currently one of the biggest weaknesses of Homarr. We plan to make major changes in this regard in the future, which will eliminate the need for additional authentication proxies.
Making your dashboard read-only
Since 0.11.5
, Homarr has an experimental read only mode.
When this mode is enabled, the following changes will be made:
- The edit mode is disabled and can't be entered anymore
- All requests to change the config will be denied and rejected
- The settings will be hidden and disabled
This can be used, if you serve your page to multiple users, and don't want them to be able to edit anything. As the name suggests, this is not a permanent solution and not recommended for most users. It also requires a restart each time, that you want to enable or disable the read-only mode.
You can enable the read-only mode by setting the DISABLE_EDIT_MODE
environment variable to true
.
Disable by unsetting DISABLE_EDIT_MODE
.
We'll remove this setting, as soon Homarr supports a better security and authentication model.
What the future holds
As mentioned, we plan to implement a more robust solution for the future. We also want to offer Homarr to users, that want to expose it to the internet or use it with their famility, friends or at work.
Making such changes requires significant changes to the whole structure and code of Homarr. We have already started working on these features, but it will take a lot of time.