[Support]: Access allowed to URLs when not authenticated #22841
-
Describe the problem you are havingI am using Frigate behind a reverse proxy, passing all requests to frigate on port 8971. I assumed that if you are not logged in then all HTTP requests apart from trying to login would be denied (HTTP 401), but I see that's not the case. eg. https://myfrigate.example.server/locales/en/views/system.json etc Is this expected? Version0.17.1-416a9b7 What browser(s) are you using?Firefox 149.0 Frigate config fileauth:
failed_login_rate_limit: 1/second;5/minute;20/hour
trusted_proxies:
- 172.18.0.0/16Relevant Frigate log outputn/aRelevant go2rtc log outputn/aFFprobe output from your cameran/aFrigate statsNo response Install methodDocker Compose docker-compose file or Docker CLI commandunRAID ContainerObject DetectorCPU (no coral) Network connectionWired Camera make and modeln/a Screenshots of the Frigate UI's System metrics pagesNo response Any other information that may be helpfulNo response |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Yes, this is expected behavior. Static assets like CSS files, JavaScript bundles, and locale/translation JSON files are served without authentication. These are frontend resources needed to render the login page itself—without them, users wouldn't even be able to see or interact with the login form. The authentication in Frigate protects API endpoints and sensitive data, not the static files required to display the UI.(1) When you access port 8971 (the authenticated port), Frigate validates authentication for API requests and protected resources.(1) However, the static assets under Your configuration looks correct for a reverse proxy setup: auth:
failed_login_rate_limit: 1/second;5/minute;20/hour
trusted_proxies:
- 172.18.0.0/16The key security boundary is that unauthenticated users cannot access camera feeds, recordings, API data, or configuration—those require valid authentication via JWT token or proxy headers.(1) 📚 Sources: Have another question? Just tag @inkeep. |
Beta Was this translation helpful? Give feedback.
Yes, this is expected behavior. Static assets like CSS files, JavaScript bundles, and locale/translation JSON files are served without authentication. These are frontend resources needed to render the login page itself—without them, users wouldn't even be able to see or interact with the login form.
The authentication in Frigate protects API endpoints and sensitive data, not the static files required to display the UI.(1)
When you access port 8971 (the authenticated port), Frigate validates authentication for API requests and protected resources.(1) However, the static assets under
/assets/and/locales/are intentionally accessible so the login page can load properly.Your configuration …