github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-22 14:13:08 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

Enhance Security by Warning users of using via http, Hashing Login Credentials, Encrypting HTTP Payloads, and Improving Docker Defaults in Open WebUI #2563

New Issue
Closed
opened 2025-11-11 15:09:45 -06:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-11-11 15:09:45 -06:00
Owner
Copy Link

Originally created by @gwpl on GitHub (Nov 4, 2024).

Enhance Security by Warning users of using via http, Hashing Login Credentials, Encrypting HTTP Payloads, and Improving Docker Defaults in Open WebUI

The transmission of login credentials in plaintext poses a security risk. Implementing client-side password hashing, encrypted HTTP payloads, and secure Docker defaults (including HTTPS) will improve user safety, especially for less experienced users.

Description

Captured local network traffic revealed that login credentials (username and password) are transmitted in plaintext. This presents a significant vulnerability, exposing users to potential data interception if the setup is not properly secured.

Acknowledgement of Current Best Practices

Documentation advises users to deploy Open WebUI through a reverse proxy or restrict access via firewall settings to ensure it is used only locally.

However, considering the broad and diverse audience of casual users who may not follow these guidelines, even small improvements can greatly enhance their security.

Recommendations

  1. Notification for Non-Localhost Access: Implement a notification text box in the web interface that displays a warning when the URL is detected to be something other than localhost/127.0.0.1. This notification should be closable, providing a gentle reminder to users about potential security risks when accessing Open WebUI over non-local connections.
  2. Credential Protection: Implement client-side hashing of passwords using a provided salt before transmission. Validate these on the server side against stored hashed and salted records.
  3. Encrypted Payloads Over HTTP: While HTTPS should be the standard, consider adding encryption for login data and responses over HTTP to enhance security. Display warnings in the web UI if the server is not localhost or lacks HTTPS.
  4. Improved Docker Configurations: Extend default Docker setups to auto-generate credentials on first run or periodically and enable HTTPS by default to help prevent misconfigurations.

Justification and Commentary

Understanding that Open WebUI is a popular tool with a wide range of users, from highly technical to less skilled, it’s crucial to balance robust security practices with accessibility. While best practices advocate for fully local setups or the use of reverse proxies with HTTPS, many users might not have the expertise to configure these properly. This creates potential vulnerabilities, especially considering the common (though not recommended) practice of password reuse.

Adding client-side hashing, payload encryption, and secure Docker configurations can provide layers of protection even for those who might overlook or struggle with ideal setups. These enhancements are not about undermining current best practices but about showing care for the community, acknowledging the real-world scenarios users face, and reinforcing the project’s reputation for user-centric design.

Appreciation

Thank you for your outstanding work on Open WebUI Your dedication to open-source development is deeply valued. These suggestions aim to bolster user protection while maintaining ease of use and supporting the diverse audience that benefits from this project.

Originally created by @gwpl on GitHub (Nov 4, 2024). ### Enhance Security by Warning users of using via http, Hashing Login Credentials, Encrypting HTTP Payloads, and Improving Docker Defaults in Open WebUI The transmission of login credentials in plaintext poses a security risk. Implementing client-side password hashing, encrypted HTTP payloads, and secure Docker defaults (including HTTPS) will improve user safety, especially for less experienced users. ### Description Captured local network traffic revealed that login credentials (username and password) are transmitted in plaintext. This presents a significant vulnerability, exposing users to potential data interception if the setup is not properly secured. ### Acknowledgement of Current Best Practices Documentation advises users to deploy Open WebUI through a reverse proxy or restrict access via firewall settings to ensure it is used only locally. However, considering the broad and diverse audience of casual users who may not follow these guidelines, even small improvements can greatly enhance their security. ### Recommendations 1. **Notification for Non-Localhost Access**: Implement a notification text box in the web interface that displays a warning when the URL is detected to be something other than localhost/127.0.0.1. This notification should be closable, providing a gentle reminder to users about potential security risks when accessing Open WebUI over non-local connections. 2. **Credential Protection**: Implement client-side hashing of passwords using a provided salt before transmission. Validate these on the server side against stored hashed and salted records. 3. **Encrypted Payloads Over HTTP**: While HTTPS should be the standard, consider adding encryption for login data and responses over HTTP to enhance security. Display warnings in the web UI if the server is not localhost or lacks HTTPS. 4. **Improved Docker Configurations**: Extend default Docker setups to auto-generate credentials on first run or periodically and enable HTTPS by default to help prevent misconfigurations. ### Justification and Commentary Understanding that Open WebUI is a popular tool with a wide range of users, from highly technical to less skilled, it’s crucial to balance robust security practices with accessibility. While best practices advocate for fully local setups or the use of reverse proxies with HTTPS, many users might not have the expertise to configure these properly. This creates potential vulnerabilities, especially considering the common (though not recommended) practice of password reuse. Adding client-side hashing, payload encryption, and secure Docker configurations can provide layers of protection even for those who might overlook or struggle with ideal setups. These enhancements are not about undermining current best practices but about showing care for the community, acknowledging the real-world scenarios users face, and reinforcing the project’s reputation for user-centric design. ### Appreciation Thank you for your outstanding work on Open WebUI Your dedication to open-source development is deeply valued. These suggestions aim to bolster user protection while maintaining ease of use and supporting the diverse audience that benefits from this project.
GiteaMirror commented 2025-11-11 15:09:45 -06:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Nov 4, 2024):

It’s out of [project name] scope

@tjbck commented on GitHub (Nov 4, 2024): It’s out of [project name] scope
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#2563
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?