Anyway to avoid the security risk on www/local folder?

[kerhbal]

Hi there,
Really enjoy this project, but according to this https://www.home-assistant.io/integrations/http/#hosting-files, the www/local folder is not protected by home assistant authentication, anyone with a bit time and tools can access the folder relatively easily.
As all the tutorial uses local/www folder, I'm just wondering if other folders also work for Floorplan? thanks
I tried it with another folder, but it seems the request is blocked by home assistant's authentication.

[exetico]

Hi 😊.

The www/local folder is exposed by HA and HACS. That's how it works. Therefore, I'm unsure why you're takling about security risks here. Other folders will not be exposed.

You'll need to have the SVG and CSS in the exposed area. Ha-floorplan doesnt implement another API or simular exposed path for your SVG and CSS files.

[exetico]

@kerhbal : Please don't create multiple answers. Use the "reply" function instead.

I get what you're asking about. I just pointed out, that it's the native HA-way. We do not impemenet another API og simular exposted paths, and it's not a plan to implement a more secure way to service the SVG-files. I understand your thoughts, though. But I'd like to point out, that this kind of scope should be handled outside of ha-floorplan, for the few users, actually asking for a function like this. If you're running the service behind a reverse proxy, basic auth could be a solution (not good, though).

I think you should check this:
home-assistant/architecture#309
https://community.home-assistant.io/t/www-folder-authorization/251616
home-assistant/core#21104

[exetico]

It's not a solution, but I can't get any closer :)

[kerhbal]

thanks for these reference. I think it's a problem of home assistant. will try something else.

[exetico]

It works as it's scoped. You'd need to think about a better way of handling the assets, if that's really important for you 😃 .

[kerhbal]

oh I think there is a bit misunderstanding, by "security risk" I don't mean floorplan will post security risk to home assistant, it's just floorplan itself will have sensitive data outside home assistant's protection.
Originally home assistant exposes www/local folder for some static files, which makes sense if those files are non-sensitive. And more and more custom frontend card utilize that folder to store some js files, still normal.
I think things start to go a little bit wild when we put our home schematic inside that folder, because in some way that's no longer general data, it becomes personal.

What I'm trying to see is if floorplan can utilize a long live token to have access to home assistant, and thus let user put such personal data within home assistant's authentication protection.
Really appreciated the project, just some thoughts on this. thanks