Update 3/28: The devs have announced that the auth system is to be deprecated. See details below.
About a month ago, I went looking for a dashboard for my homelab—something to help visualize the services I run. I found Dashy, a popular (14.6k GitHub stars) dashboard designed for self-hosters. I deployed it and started configuring it, but noticed that something about its authentication felt off. I started digging and quickly found its security to be borderline useless, permitting unauthenticated reads and writes of its configuration.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

Dashy, a popular dashboard app, has a fundamentally broken client-side authentication system that can be easily bypassed, leaving sensitive information exposed. The app's security depends on the user's browser, making it vulnerable to tampering. Dashy recommends alternative authentication methods like reverse proxies to ensure better security. Dashy's developers are advised to update the project documentation and consider removing the authentication system entirely. Users are cautioned to be careful when storing API keys in widget configurations and to use extra caution when exposing Dashy to the internet.

False security: Dashy's client-side authentication