No announcement yet.

Unauthenticated JSON access

  • Filter
  • Time
  • Show
Clear All
new posts

  • Unauthenticated JSON access

    I'm starting to setup a HomeSeer installation at my house - this is my first go about it, so I've been poking around with a lot of things trying to understand how it all works together. I couldn't sleep last night, and decided I would spend a little time doing some security tests on the HomeSeer device. Thing seems (mostly) fine, except for one thing that seemed odd - I'm wondering if there is just a setting I'm missing.

    By default, HomeSeer is configured to allow access to the web portal with no username/password when the connection is coming from the same LAN. While I disagree with that being the default, I do appreciate that there is a simple and well-labeled checkbox that allows me to require credentials regardless. However, upon some further testing, I found that this setting does not apply to endpoints outside of the web interface; most notably, the /JSON interface is accessible without authentication. This is a bit worrying as, not only does it allow a full device status list (request=getstatus), it also allows updating of devices (request=controldevicebyref). As a quick test, I was able to unlock all of my doors without any authentication info.

    Is there a setting to require authentication for all web endpoints, including the JSON endpoints?

  • #2
    I don’t believe there is. I’d contact HS support ( or page Rich @rjh
    HS 1990 Devices 1172 Events
    Z-Wave 126 Nodes on one Z-Net


    • #3
      I'm getting '401 Unauthorized' for JSON requests with the checkbox unchecked.

      Windows 7, HS3 Pro Edition