Application Is Vulnerable To Outside Use After Fresh Installation

[compumatter]

Hello,

After a fresh docker installation the url brings up this page. It appears at that point should the human who installed it be distracted for any reason this page is up and running for anyone else to find and login.

I believe the initial administrator credentials should be part of the env variables or other method to ensure the application is not left wide open

[omohokcoj]

@compumatter that's a quite popular practice for self hosted apps to provide the initial setup/onboarding form on the first run. Even if an attacker can take over the app in a short span between when the app is deployed and set up - the owner of the app can easily notice that (since he won't be able to log in or see the setup screen). Also this can't lead to any data leaks/losses since the app is empty after the initial setup.

[compumatter]

Thanks for the write back. I would agree that it is popular to have an initial admin login of some kind. The username is as well typically provided ie; 'admin'. However I feel confident it is not the norm for business projects to allow the creation of a password at that entrance screen. Home software no big deal. Businesses would balk at that.

You appear to have some professional grade software here. I think your opener should be mirror that. Your software, your choice, just giving you some perceptions of one business person.