False security: Dashy's client-side authentication
About a month ago, I went looking for a dashboard for my homelab—something to help visualize the services I run. I found Dashy, a popular (14.6k GitHub stars) dashboard designed for self-hosters. I deployed it and started configuring it, but noticed that something about its authentication felt off. I started digging and quickly found its security to be borderline useless, permitting unauthenticated reads and writes of its configuration. I’m sharing my findings here with the goals of encouraging self-hosters to think critically about their apps and to encourage developers to document their app’s security with care.
A quick primer: Dashy’s an “open source, highly customizable, easy to use, privacy-respecting dashboard app.” Dashy provides an extensive set of features for its purpose, including status monitoring, widgets, customizable layouts, and—most importantly for our discussion today—authentication.
Dashy has full support for secure single-sign-on using Keycloak for secure, easy authentication, see setup docs for a full usage guide. There is also a basic auth feature, which doesn’t require additional setup.
%20(1).png)
