From f9d920a8fbfc8576d20e0f071224cd8bad4fac18 Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Wed, 14 Jan 2026 19:04:28 -0800 Subject: [PATCH] Clarify security recommendations in documentation --- README.md | 2 +- docs/installation/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 090973bd1..4d2497a0f 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ For configuration options, examples and more, [please check out the homepage doc ## Security Notice 🔒 -Please note that when using features such as widgets, Homepage can access personal information (for example from your home automation system) and Homepage currently does not (and is not planned to) include any authentication layer itself. Thus, we recommend homepage be deployed behind a reverse proxy including authentication, SSL etc, and / or behind a VPN. +Please note that when using features such as widgets, Homepage can access personal information (for example from your home automation system) and Homepage currently does not (and is not planned to) include any authentication layer itself. If Homepage is reachable from any untrusted network, it **must** sit behind a reverse proxy (and/or VPN) that enforces authentication, TLS, and strictly validates Host headers. The built-in host check in Homepage is a best-effort guard and should not be treated as security when exposed publicly. ## With Docker diff --git a/docs/installation/index.md b/docs/installation/index.md index f082845b1..b6bfb23b5 100644 --- a/docs/installation/index.md +++ b/docs/installation/index.md @@ -37,4 +37,4 @@ The value is a comma-separated (no spaces) list of allowed hosts (sometimes with If you are seeing errors about host validation, check the homepage logs and ensure that the host exactly as output in the logs is in the `HOMEPAGE_ALLOWED_HOSTS` list. -This can be disabled by setting `HOMEPAGE_ALLOWED_HOSTS` to `*` but this is not recommended. +This can be disabled by setting `HOMEPAGE_ALLOWED_HOSTS` to `*` but this is not recommended. Public deployments must rely on a reverse proxy (and/or VPN) that enforces authentication, TLS, and unexpected Host headers; the built-in host check is a best-effort guard for local setups and is not a substitute for edge protections.