Feature Request: Custom Request Headers #1722
Replies: 23 comments 20 replies
-
+1 for this. I too am in the same boat |
Beta Was this translation helpful? Give feedback.
-
+1 would like to use cloudflare access tokens for this as well |
Beta Was this translation helpful? Give feedback.
-
+1 same use case 👍 |
Beta Was this translation helpful? Give feedback.
-
I have found that if enter my email into the cloudflare form and enter the authorization code, I'm able to login to Home Assistant. I set the expiration to the longest I can on cloudflare. However, It would be much nicer to use a header so I don't have to enter the code regularly. |
Beta Was this translation helpful? Give feedback.
-
+1 for this! |
Beta Was this translation helpful? Give feedback.
-
+1 |
Beta Was this translation helpful? Give feedback.
-
To help future readers until this Feature Request is accepted.
Credits to @heyevwebody for this. |
Beta Was this translation helpful? Give feedback.
-
This is a much desired feature! I implemented Beacons and the WARP client to access my zero trust tunnels. Not fully flushed out yet, but appears it could be pretty solid - just need a little more time. Details here: https://github.com/geekbleek/cloudflare-beacon Never need to auth (web, HA, etc.), can use WARP & Zero Trust + Beacons to seamlessly switch from internal to external DNS/IPs (assuming you have split DNS), and can provide access to rest of your network or self-hosted applications. No need to open external network ports to the entirety of the world. Having a token auth appended by HA client would be much simpler to setup, but also require re-auth to Cloudflare Access pretty regularly. I think the real winner will be when Cloudflare enables device attestation tokens (iOS etc) on Access, which will enable remote local network access entirely without the WARP client, at which point the token auth appended by HA client would be key. |
Beta Was this translation helpful? Give feedback.
-
I would love to have this feature as well, though for a slightly different use case. I'm running HA behind Traefik with Authelia. I'm using the lovely https://github.com/BeryJu/hass-auth-header custom component to let Authelia act as the sole source of truth for authentication, which works great for the web UI. However, for the mobile apps, this is not reliable; it does not seem to consistently hold on to the cookies from Authelia. There does not seem to be a consistent workaround for this that doesn't involve opening unauthenticated holes in Authelia, but I'd really prefer not to expose HA as an attack surface. With the requested feature, I could easily configure Traefik to let mobile traffic bypass Authelia, by setting a header with a pre-defined secure key. |
Beta Was this translation helpful? Give feedback.
-
For my case, iOS + cloudflare the proposed solution in this guide works flawlessly: https://usher.dev/posts/exposing-home-assistant-using-cloudflare-tunnel/ |
Beta Was this translation helpful? Give feedback.
-
There was a PR to add this, but it was rejected: #2596 This is somewhat frustrating since this is one of the most voted feature requests on GitHub Discussions. |
Beta Was this translation helpful? Give feedback.
-
So I have secured my home network by utilizing, as many in this thread, cloudflares network services. Maybe a header option doesn't comply with top Home Assistant goals and there's the Nabu Casa option too. I'm happy I got the cast dashboard function to work with an extra WAF rule. Thank you heyevwebody! |
Beta Was this translation helpful? Give feedback.
-
It feels like there is real a resistance from maintainers to this or any similar idea as it would provide an alternative to HA Cloud. Such a shame that a feature that increases end user security is being blocked like this. |
Beta Was this translation helpful? Give feedback.
-
Consider voting for this feature request: https://community.home-assistant.io/t/secure-communication-channel-for-ios-app/785129 |
Beta Was this translation helpful? Give feedback.
-
I'd like the ability in the connection page of 2.0 to be able to define custom additional headers that can be added to the webhook and other calls to HA. I understand this likely isn't possible to append these headers for the webview, but that isn't an issue in the case I have in mind.
Essentially my HA install is behind a CloudFlare proxy utilizing cloudflare access. This allows for apps to request a verification step, usually via email before allowing a request to the real site. This works fine for a web view since the captive portal is displayed and the user can input the correct info.
However, it does not work for the webhook messages back to HA that do not include the cloudflare header and so I'd be nice to be able to add these headers manually such that things like actions, push notification actions, and location updates work as intended.
https://developers.cloudflare.com/access/setting-up-access/securing-applications/
Above is a link for more info on CloudFlare access.
Beta Was this translation helpful? Give feedback.
All reactions