Skip to content

[web_server] Document lack of cross-site protections#6946

Merged
jesserockz merged 1 commit into
currentfrom
jesserockz-2026-418
Jul 9, 2026
Merged

[web_server] Document lack of cross-site protections#6946
jesserockz merged 1 commit into
currentfrom
jesserockz-2026-418

Conversation

@jesserockz

Copy link
Copy Markdown
Member

Description

Documents that the web_server component has no cross-site protections by design: it performs no CSRF, Origin, or Referer checks and uses a permissive CORS policy, so it can be driven cross-origin from a web page open on the same network. Adds a Security section to the web_server component page covering the web OTA implications and defenses (auth:, network segmentation, native OTA), and a matching CSRF [!NOTE] to the security best practices guide. Both link to the project threat model, which documents this as intentional.

Related issue (if applicable): fixes

Pull request in esphome with YAML changes (if applicable):

  • esphome/esphome#

Checklist

  • I am merging into next because this is new documentation that has a matching pull-request in esphome as linked above.
    or

  • I am merging into current because this is a fix, change and/or adjustment in the current documentation and is not for a new component or feature.

  • Link added in /src/content/docs/components/index.mdx when creating new documents for new components or cookbook.

Add a Security section to the web_server component and a CSRF note to the
security best practices guide, explaining that the web server has no CSRF /
Origin checks and a permissive CORS policy by design, and how to defend it.
Copilot AI review requested due to automatic review settings July 9, 2026 04:39
@esphome esphome Bot added the current label Jul 9, 2026
@netlify

netlify Bot commented Jul 9, 2026

Copy link
Copy Markdown

Deploy Preview for esphome ready!

Name Link
🔨 Latest commit 2fed0d1
🔍 Latest deploy log https://app.netlify.com/projects/esphome/deploys/6a4f260f6dbb360008f3a5c0
😎 Deploy Preview https://deploy-preview-6946--esphome.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d3f7626e-9b74-4317-99a1-9deb02f6ce1a

📥 Commits

Reviewing files that changed from the base of the PR and between 5aae1d4 and 2fed0d1.

📒 Files selected for processing (2)
  • src/content/docs/components/web_server.mdx
  • src/content/docs/guides/security_best_practices.mdx

Walkthrough

Documentation changes add a "Security" section to the web_server component page and a NOTE callout to the security best practices guide, both describing the web server's intentional lack of CSRF/Origin protections, permissive CORS policy, and recommended mitigations via auth: and network segmentation.

Changes

Web Server Security Documentation

Layer / File(s) Summary
Security warnings and recommendations
src/content/docs/components/web_server.mdx, src/content/docs/guides/security_best_practices.mdx
Adds a new "Security" section describing the lack of CSRF/Origin/Referer checks and permissive CORS, along with recommendations (auth:, network segmentation, web OTA protection); adds a matching NOTE callout in the security best practices guide referencing the same threat model.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main documentation change about web_server cross-site protections.
Description check ✅ Passed The description directly matches the documented security updates and guidance in the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch jesserockz-2026-418

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the ESPHome documentation to explicitly state that the web_server component does not implement cross-site request protections by design, and to describe the security implications (including web OTA exposure) along with recommended mitigations and a link to the project threat model.

Changes:

  • Added a CSRF/cross-site warning note to the Security Best Practices guide.
  • Added a new “Security” section to the web_server component docs covering cross-origin control/OTA risks and mitigations.
  • Linked both locations to the ESPHome threat model documenting this behavior as intentional.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
src/content/docs/guides/security_best_practices.mdx Adds a CSRF/cross-site note describing the web server’s cross-origin behavior and defenses.
src/content/docs/components/web_server.mdx Adds a Security section describing cross-site implications, web OTA risk, and mitigations with a threat model link.

Comment thread src/content/docs/components/web_server.mdx
Comment thread src/content/docs/guides/security_best_practices.mdx
Comment thread src/content/docs/components/web_server.mdx
@jesserockz jesserockz merged commit 1669b9b into current Jul 9, 2026
15 checks passed
@jesserockz jesserockz deleted the jesserockz-2026-418 branch July 9, 2026 05:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants