Secrets are viewable in plaintext in AppDaemon dashboard via app arguments #1992
Labels
enhancement
New feature or request
Comments
|
Hi there - the secrets mechanism is intended primarily as a way to facilitate passing around of config files without having them contain sensitive information of this nature. By design, the APP parameters are visible in the dashboard, passing passwords as parameters is inherently insecure in any case and there are better approaches. AppDaemon doesn't give you any specific help here but it has all of python available to you. If I wanted to solve this issue I would put the passwords in a file and read them from the app during initialize. If you wanted to lock that down further you could manually encrypt the passwords using something like passlib. |
acockburn
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
I am able to see secrets I've provided an application as arguments in my apps.yaml file. I specify the secrets in secrets.yaml and use
!secret var_namein apps.yaml. However, I can still see the secret by navigating to the AppDaemon dashboard on port 5050 and viewing the app's arguments. The dashboard is accessible without a username or password on the local network. Please advise if there is a way to prevent this?Clicking this discloses the secrets.
Version
4.4.2
Installation type
Home Assistant add-on
Relevant log output
No response
Relevant code in the app or config file that caused the issue
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: