Securing


One major advantage of Home Assistant is that it’s not dependent on cloud services. Even if you’re only using Home Assistant on a local network, you should take steps to secure your instance.

Checklist

Here’s the summary of what you must do to secure your Home Assistant system:

☐ Configure secrets (but do remember to back them up)
☐ Regularly keep the system up to date

If you only want to use components supported by Home Assistant cloud then you don’t need to enable remote access. This is obviously the most secure option, but does mean that you’re relying on a cloud service for that functionality.

☐ For remote access to the UI, use a VPN, Tor, or an SSH tunnel
☐ For remote access for components, use a TLS/SSL certificate

You should

As well as the above we advise that you consider the following to improve security:

If you’ve forwarded any ports to your Home Assistant system from the Internet, then it will be found by others. Whether through services like Shodan, or direct port scanning, all systems on the Internet are routinely probed for accessible services. If you fail to set a password then it is simply a matter of time before somebody finds your system and starts abusing it - potentially as little as a few hours.

Remote access for just the UI

If you only want remote access for access to the web UI then we advise that you follow the All installs section, then set up one of:

  • A VPN such as PiVPN or ZeroTier, which will give you access to your whole home network
  • Tor, which also avoids the need for port forwarding
  • An SSH tunnel to connect to your frontend

Remote access for components

For remote access for a component, for example, a device tracker, you have to enable access to the API by:

  1. Following the steps in All installs, then
  2. Forwarding a port and protect your communication with one of:
    • A TLS/SSL certificate (you can use one from Let’s Encrypt, or any commercial SSL certificate vendor)
    • A self-signed certificate - be warned though, some services will refuse to work with self-signed certificates
  3. Optionally use a proxy like NGINX, Apache, or another. These allow you to provide finer-grained access. You could use this to limit access to specific parts of the API (for example, only /api/owntracks/)
  4. Enable IP Filtering and configure a low Login Attempts Threshold
  5. If you use a proxy then install fail2ban to monitor your proxy logs (or Home Assistant logs) for failed authentication