Locking Down the Dashboard

[Bag72]

I've built my dashboard and been using it for some time. It's great Thank you.

I've just decided to put a modified version as my landing page on my website. I copied everything across and set it up. I can now access it from anywhere but I can't seem to shut down the editing facility on the page. Anyone that accesses it can edit it.

How do I disable that. The setting that I thought would disable that function don't appear to do anything. All I want is my dashboard displayed minus the settings bar. In the App Config is says If set to true, the settings buttons will be hidden. Mine is ticked but I can still access the settings buttons. Obviously something daft but anyone got any ideas?

Regards,

[Lissy93]

Heya @Bag72 👋

So the most secure approach, is to build the app and then just simply serve up the dist directory.
Since the content of dist is just plain ol HTML, JS, CSS, it can be run using any HTTP server. It's as secure as your web server.

For example: yarn build && npx http-server ./dist --port 8080

---

Or, with the dynamic app, it is possible to disable UI editing with appConfig.disableConfiguration - however this only prevents you from editing through the UI, and so should not be considered secure if the app is exposed to the internet.

This will be addressed in next update, 2.1.2 (described in #799) adding proper server-side security. 🎉

---

Another option, is to deploy the normal dynamic app, but pass the config file into the container as a read-only volume, using the readonly attribute. That will prevent editing, and you can reflect this in the UI using disableConfiguration under appConfig.

That way you'll still have access to any server-side functions like status-checks, or widgets with proxied data, but changes cannot be written to disk. Personally, I'd go with serving up the static app, just because modern web servers have a lot of built-in security things out of the box.

---

Alternatively, you could deploy to a service like Netlify. This is also secure, as there's no backend code, but status checks, and proxied widget requests will still work, as I've ported them over to serverless functions.
There's also a one-click deploy link for Netlify (docs): https://app.netlify.com/start/deploy?repository=https://github.com/lissy93/dashy

---

Hope that helps :)

[Bag72]

Thank you for the response. I liked the look of the first one but couldn't get it to work.

Don't worry about that though. My lack of understanding with Docker I'm guessing. I've taken option 3 and made the config file RO and I'll wait till the next update.

Thanks again.