SSL Certificates are not validated against CA

[mazzz1y]

Currently, certificate validation is disabled at this location: https://github.com/benphelps/homepage/blob/a8dfdcdac0ea1fb5e215a587c7bfbf0d8ec68e03/src/utils/proxy/http.js#L89

This is unacceptable and needs rectification. If someone requires it, then it would be good to add a configurable option for that.

I have marked this as a bug as I see it as a major issue. Basically, users are sending their api-keys as plain text over the internet, because their requests are vulnerable to MITM attacks

[shamoon]

This is an intentional decision with which you disagree, not a bug.

Changing this to default to the opposite would be breaking for many users with self-signed certs (common with self-hosted) which I think is worth consideration

[mazzz1y]

Many users may not be aware that their requests are unencrypted. I still believe that this is a critical issue

[mazzz1y]

I suggest replacing these points in readme:

This:

Secure - All API requests to backend services are proxied, keeping your API keys hidden. Constantly reviewed for security by the community.

By this:

Non-Secure - All API requests to backend services are not validated against CA, leaving your API keys vulnerable to anyone on your network. Constantly reviewed for non-security by the community.

It will make app description more honest and transparent for users who are currently using or considering using this app. If you'd like, I can open a PR.

[github-actions[bot]]

This discussion has been automatically closed due to inactivity. See our contributing guidelines for more details.

[github-actions[bot]]

This discussion has been automatically locked since there has not been any recent activity after it was closed. Please open a new discussion for related concerns. See our contributing guidelines for more details.