[web_server] Document lack of cross-site protections#6946
Conversation
Add a Security section to the web_server component and a CSRF note to the security best practices guide, explaining that the web server has no CSRF / Origin checks and a permissive CORS policy by design, and how to defend it.
✅ Deploy Preview for esphome ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughDocumentation changes add a "Security" section to the web_server component page and a NOTE callout to the security best practices guide, both describing the web server's intentional lack of CSRF/Origin protections, permissive CORS policy, and recommended mitigations via ChangesWeb Server Security Documentation
Estimated code review effort: 1 (Trivial) | ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the ESPHome documentation to explicitly state that the web_server component does not implement cross-site request protections by design, and to describe the security implications (including web OTA exposure) along with recommended mitigations and a link to the project threat model.
Changes:
- Added a CSRF/cross-site warning note to the Security Best Practices guide.
- Added a new “Security” section to the
web_servercomponent docs covering cross-origin control/OTA risks and mitigations. - Linked both locations to the ESPHome threat model documenting this behavior as intentional.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/content/docs/guides/security_best_practices.mdx | Adds a CSRF/cross-site note describing the web server’s cross-origin behavior and defenses. |
| src/content/docs/components/web_server.mdx | Adds a Security section describing cross-site implications, web OTA risk, and mitigations with a threat model link. |
Description
Documents that the
web_servercomponent has no cross-site protections by design: it performs no CSRF,Origin, orRefererchecks and uses a permissive CORS policy, so it can be driven cross-origin from a web page open on the same network. Adds aSecuritysection to the web_server component page covering the web OTA implications and defenses (auth:, network segmentation, native OTA), and a matching CSRF[!NOTE]to the security best practices guide. Both link to the project threat model, which documents this as intentional.Related issue (if applicable): fixes
Pull request in esphome with YAML changes (if applicable):
Checklist
I am merging into
nextbecause this is new documentation that has a matching pull-request in esphome as linked above.or
I am merging into
currentbecause this is a fix, change and/or adjustment in the current documentation and is not for a new component or feature.Link added in
/src/content/docs/components/index.mdxwhen creating new documents for new components or cookbook.