Closed mmccool closed 9 months ago
An additional comment here is that the REST API is protected by bearer tokens (generated by the system, not OAuth) but these can be used without TLS on the LAN. See experimental TDs for Home Assistant access for Retail test case.
Propose closing, analysis has been done. Summary is that current description mechanisms in TDs work for HA: Bearer tokens, API keys, and TLS.
I recently set up Home Assistant (over about 30 devices in my house, mostly Zwave, but also some of my own experimental devices) and have some experience now with its security architecture that I should write up. Some brief notes: