I have a feature request that I think applies to both GDO White and GDO blaQ since I believe they are both based on ESPHome.
There is a default webserver running on ESPHome devices that is accessible from the local network without any authentication. On the GDO blaQ this webserver has buttons to control the garage, specifically open the garage.
I’d like the ability to disable these buttons so that control is only possible through Home Assistant via the encrypted ESPHome connection.
Turning off the entire webserver seems like overkill, please give us the ability to lock out the control buttons for unauthenticated requests.
The solution you’re probably looking for is is to enable the username and password option on the built-in webserver. There are two ways to do this:
If you’re managing your ESPhome config yourself via ESPHome dashboard, use the auth config of the web_server component to enable a digest authentication username and password, for example:
If you’re not into managing YAML or learning ESPHome config and want Konnected’s done-for-me solution, use the Konnected app to customize your device’s build. The authentication option can be added, or the web server disabled entirely on the Local Web Page / API settings screen:
This firmware configuration service will be rolled out for the GDO blaQ in the next app update within a week. It’s currently live for the GDO White as well as our Alarm Panel products.
ESPHome automatically builds the web page and REST API based on the device’s components, so as far as I know it’s not possible at this time to selectively disable a specific component on the web page. Also, simply hiding the buttons would not be truly secure because the underlying API endpoints will still be active.
The best solution at this time is to add the authentication or disable the web server entirely.
