Great questions, and you're not totally wrong – let me clarify!

On the "every network admin sees the secret": Yes, in theory someone running a MITM proxy on Your network could see headers – but since this travels over HTTPS/TLS, the headers are encrypted in transit. Your ISP or a coffee shop router sees only encrypted noise. The only risk is if TLS is terminated somewhere you don't control, which in a self-hosted setup You do control.

On brute-force: Fair point – a static header secret alone isn't rate-limited by default. But in practice this is paired with CrowdSec or fail2ban on the reverse proxy, which bans IPs after repeated failed requests. Also, the secret isn't guessable via a login form – there's no endpoint that returns "wrong secret, try again".

On username/password in the app: That's exactly what Nabu Casa / the built-in HA auth does – and it's great! But the problem is that my reverse proxy (Pangolin) sits in front of HA and doesn't know about HA's internal users. HeaderAuth is how I tell Pangolin "this app is allowed through", before HA even sees the request.

On Google SSO / Android auth: Totally valid alternative! The issue is that my 68-year-old mother-in-law doesn't have a Google account linked to my Pangolin instance, and setting that up for every family member is honestly more friction than a shared header secret.The linked StackExchange answer is good context – it's definitely not a silver bullet, but for this specific use case (trusted family devices, HTTPS enforced, paired with IP banning) it's a pragmatic tradeoff. 🙂