be9700-api: correct exposure/security note in description

This commit is contained in:
2026-06-29 12:26:26 -07:00
parent bf09e224c9
commit 96c5f34a91

View File

@@ -25,9 +25,11 @@ Every request to `/api/*` must carry:
| `X-Router-Password` | Router admin password (for fresh sessions) |
| `X-Router-Session` | Reuse a session token returned by a previous call (JSON) |
This means the container itself holds no secrets and is safe to expose via
Traefik without any additional auth middleware — just use the API from clients
that supply the headers.
The container holds no stored secrets, but the `/api/*` surface controls your
router and CORS is open — anyone who can reach the service and supply a valid
router password can change router settings. Keep this app LAN-only unless you
place an auth middleware (e.g. Traefik forward-auth / Authentik) in front of it
before exposing it to the internet.
## Quick start