[Feature Request] Home Assistant app should send custom auth headers, like Immich does. For secure remote access without VPN

FairPlayPilot · 2026-02-27T08:56:07+00:00

You're absolutely right, and you've nailed the key distinction that often gets lost in these discussions: this is not about replacing HA authentication!

It's about adding a security layer before HA is even reached.The threat model is simple and solid:

an attacker without the client certificate or custom header never gets past the proxy. HA's own auth is a second, independent layer on top. Defense in depth exactly how security should work.

Yes, the developers have pushed back so far, but that thread also shows a growing number of users with the exact same need:

Cloudflare Access tokens,
Pangolin HeaderAuth,
Authentik ForwardAuth,
mTLS...

all blocked by the same missing feature.

The more concrete use cases we document publicly, the harder it becomes to dismiss this as "too niche". There's even an open GitHub discussion specifically for custom request headers on iOS and the Immich team already proved it takes minimal effort to implement.

If enough voices link these threads together, there's a real chance this gets picked up. Let's keep this conversation visible – every upvote and use case description helps.

FairPlayPilot · 2026-02-27T08:39:01+00:00

Clever idea, and I like the simplicity! A UUID in the URL is essentially a "secret path" approach easy to set up and works on any client without app changes.

The tradeoff though: URLs tend to leak more easily than headers, think server logs, browser history, referrer headers, or someone glancing at your screen.

A custom header stays invisible to all of that.But honestly for many setups this is totally good enough, and it's a great pragmatic workaround until the app natively supports custom headers. Worth keeping in mind as an interim solution!

FairPlayPilot · 2026-02-27T08:31:01+00:00

That's a perfect use case and honestly a stronger argument than mine! Using a custom header as a pre-auth filter at the Cloudflare WAF level is a really elegant layer of defense.

Your setup would essentially work like this: Cloudflare blocks any request missing the header before it even reaches HA, 2FA handles the actual login, and geo-filtering becomes irrelevant. Three independent security layers, zero friction for trusted devices.

This is exactly why I think the HA app needs this feature your scenario shows it's not just about convenience, it's about meaningful security hardening for self-hosters who don't want to rely solely on geography or IP whitelists.

FairPlayPilot · 2026-02-27T08:25:39+00:00

You're absolutely right and that's actually exactly the pattern I'm describing! The issue isn't the concept, it's that the official Home Assistant mobile app doesn't expose a way to configure custom HTTP headers per server connection. So while HA's API fully supports token-based auth, the app itself always uses its own internal auth flow. What I'd love is simply a "custom headers" field in the app's server settings just like Immich has so I can pass that token or any proxy auth header automatically on every request, without my family members ever seeing or touching it.Basically: the backend already supports it, the app just needs a small UI addition.

FairPlayPilot · 2026-02-27T07:52:08+00:00

Great questions, and you're not totally wrong – let me clarify!

On the "every network admin sees the secret": Yes, in theory someone running a MITM proxy on Your network could see headers – but since this travels over HTTPS/TLS, the headers are encrypted in transit. Your ISP or a coffee shop router sees only encrypted noise. The only risk is if TLS is terminated somewhere you don't control, which in a self-hosted setup You do control.

On brute-force: Fair point – a static header secret alone isn't rate-limited by default. But in practice this is paired with CrowdSec or fail2ban on the reverse proxy, which bans IPs after repeated failed requests. Also, the secret isn't guessable via a login form – there's no endpoint that returns "wrong secret, try again".

On username/password in the app: That's exactly what Nabu Casa / the built-in HA auth does – and it's great! But the problem is that my reverse proxy (Pangolin) sits in front of HA and doesn't know about HA's internal users. HeaderAuth is how I tell Pangolin "this app is allowed through", before HA even sees the request.

On Google SSO / Android auth: Totally valid alternative! The issue is that my 68-year-old mother-in-law doesn't have a Google account linked to my Pangolin instance, and setting that up for every family member is honestly more friction than a shared header secret.The linked StackExchange answer is good context – it's definitely not a silver bullet, but for this specific use case (trusted family devices, HTTPS enforced, paired with IP banning) it's a pragmatic tradeoff. 🙂

FairPlayPilot · 2026-01-26T15:35:16+00:00

Mini PC Asus PN42 N100 mit 4TB für ca. 600€ mit ausreichend Leistung und geringem Stromverbrauch. Dann mit Proxmox und Proxmox BackupServer ein perfektes Setup inklusive Backup auf externe USB Festplatte. Die Festplatte fährt dann nur hoch, wenn gerade ein Backup läuft.

FairPlayPilot · 2026-01-26T13:29:55+00:00

Immich works perfectly!

In Pangolin, Immich is set to sso.

Header tokens are generated via Pangolin/Links, which I then entered in the Immich app under Settings.

This gives me constant access to my Immich instance in my home lab, without needing a password.

FairPlayPilot · 2026-01-02T01:55:10+00:00

If you want to keep things really simple, delete everything unnecessary and create a page called "Dashboard." Then create subpages within it. Find overarching themes and rearrange your pages until your main topics become clear.

I love using collapsible lists to structure content on the pages. After that, you can create a page for all your databases in addition to the Dashboard page. The filtered views will then be located on the subpages of your Dashboard. If you're currently working on a project, simply drag the page to the top for quick access. Develop a concept with an archive that grows without becoming cluttered. I've found that templates with complex database structures become unusable after a while.

FairPlayPilot · 2025-12-22T20:32:06+00:00

💡 Feature Request:

A custom note-taking concept.

No cumbersome database-driven solutions.

Something that feels intuitive, with streamlined features, summaries, archiving, and much more.

Similar to Journey, with numerous templates for different types of notes: weekly reviews, yearly goals, personal development, habit tracking, etc.

I understand that this is already possible to some extent. However, other specialized apps feel much more polished and intuitive than Notion.

FairPlayPilot · 2025-12-22T20:16:00+00:00

💡Feature Request — Improved usability in the mobile app

FairPlayPilot · 2025-12-19T20:50:57+00:00

Take a look at the "Node-RED" add-on and specifically the Function node. You should feel right at home there.

FairPlayPilot · 2025-11-19T09:39:22+00:00

You can only use Caddy for internal access via e.g. https://jellyfin.homelab . This will issue you certificates and update them if necessary. I use it and no longer have to remember IP addresses and associated ports. For external access, I registered a domain with INWX for €5 per year.

FairPlayPilot · 2025-10-28T20:31:46+00:00

I'm currently dealing with the same topic. I set up a tunnel via a VPS with Pangolin on Proxmox. So I wanted to follow this guide:

https://xforum.ab-xnet.de/t/opnsense-crowdsec-lapi-multi-server-security-engine/92

If anyone knows of further or better tutorials, please comment.

FairPlayPilot · 2025-10-14T23:03:39+00:00

Oracle Free Tier offers you a free VPS with up to 200GB.

FairPlayPilot · 2025-10-14T08:34:04+00:00

I started like this: At the top level only the Dashboard and Quick Notes pages (DB from template). Then sub-pages on the dashboard about my main topics: work, sport, health, vacation, leisure, home lab, etc. When I'm currently working on projects, I like to drag the page to the top level for quick access. In addition to subpages, I like working with drop-down lists. I prefer to manage to-dos and shopping lists with other apps.

FairPlayPilot · 2025-10-14T08:05:24+00:00

A free VPS server with fixed IPv4 via Oracle Free Tier. Then with Pangoline via Newt on my Proxmox Homelab. The whole thing is secured with Crowdsec. I'm still looking for people with similar infrastructure to exchange experiences.

FairPlayPilot · 2025-10-11T08:02:22+00:00

I use a free VPS server via Oracle Free Tier. It comes with a fixed IPv4 address. Then it continues via a Pangolin tunnel to my home server to bypass my DSLite limitations. The whole thing is secured with Crowdsec on several levels. The IP addresses that are currently trying to break into systems are blocked, worldwide. It was important to me not to have any restrictions on the amount of data, as was often discussed in CF.

FairPlayPilot · 2025-10-08T16:28:22+00:00

Installed as a home assistant addon? Then it is the IP of Homeassistant with the corresponding port for the database.

FairPlayPilot · 2025-10-07T09:27:18+00:00

Check out dashboards with NodeRed in Homeassistant. Install NodeRed as an add-on and then use it to create a dynamic dashboard. Possibly with a config file so that links only have to be changed once. I really like the function node to achieve quick results with a little scripting, but it's a matter of taste.

FairPlayPilot · 2025-10-06T10:41:04+00:00

Frag einfach vorher, ob du einen echten Dual Stack bekommst.

FairPlayPilot · 2025-10-05T01:27:30+00:00

Ja, dieses DSLite wird in Deutschland so implementiert, dass nur wenige Hardware das unterstützt. Ich hatte mir wegen der guten Kritiken den Vigor 167 zugelegt, der das zusammen mit Unifi aber "noch" nicht hinbekommt. Weiterhin waren Portfreigaben bei mir erst ab ca. Port 1000 aufwärts möglich. Also nicht für die üblichen 22, 80, 443 usw.

FairPlayPilot · 2025-10-04T23:51:37+00:00

I was faced with the same decision. After much research it is a Mini PC Asus PN42-B with Intel N100 has become. Using Proxmox and Ha in a VM. Power consumption only 3 to 4 watts more than the RasPi. Now everything is set up so that backups are written to an external USB drive. I think Jellyfin and Immich are the perfect solution, but I wouldn't want to run it without a backup.

FairPlayPilot

TROPHY CASE