traefik security solution if you expose home assistant twice: one with SSO and one without

[intriguedlife]

Just a helpful tip:

Let's say that you want to use SSO for Home Assistant in the browser, but you also want to be able to use the Home Assistant app on your phone (that does not work with SSO). The logical solution is to expose two Home Assistant endpoints: once with SSO and once without.

The issue with this addon is that if there is no SSO in front of Home Assistant and you expose both endpoints with the same proxy, then anyone can insert the 'Remote-User' (or equivalent) header and be logged in without any password.

If you use traefik you can use a middleware to remove the 'Remote-User' (or equivalent) header from requests sent to one of the exposed Home Assistant endpoints.

Docker compose labels:

• traefik.http.routers.homeassistantmobile.middlewares=removeheader
• traefik.http.middlewares.removeheader.headers.customrequestheaders.Remote-User=

'homeassistantmobile' is the name of my traefik router without SSO. 'removeheader' is the name that I chose for the middleware.

Hope this helps someone.

[DatNoHand]

Thank you for the tip, would not have thought of it otherwise :)