http component serves all files and data required for the Home Assistant frontend. You only need to add this to your configuration file if you want to change any of the default settings.
It’s HIGHLY recommended that you set the
api_password, especially if you are planning to expose your installation to the internet.
# Example configuration.yaml entry http: api_password: YOUR_PASSWORD
- api_password (Optional): Protect Home Assistant with a password.
- server_host (Optional): Only listen to incoming requests on specific ip/host (default: accept all)
- server_port (Optional): Let you set a port to use. Defaults to 8123.
- development (Optional): Disable caching and load unvulcanized assets. Useful for Frontend development.
- ssl_certificate (Optional): Path to your TLS/SSL certificate to serve Home Assistant over a secure connection.
- ssl_key (Optional): Path to your TLS/SSL key to serve Home Assistant over a secure connection.
- cors_allowed_origins (Optional): A list of origin domain names to allow CORS requests from. Enabling this will set the
Access-Control-Allow-Originheader to the Origin header if it is found in the list, and the
Origin, Accept, X-Requested-With, Content-type, X-HA-access. You must provide the exact Origin, i.e.
https://home-assistant.iowill allow requests from
- use_x_forwarded_for (Optional): Enable parsing of the
X-Forwarded-Forheader, passing on the client’s correct IP address in proxied setups. You should only enable this in a trustworthy network environment, as clients passing that header could easily spoof their source IP address.
- trusted_networks (Optional): List of trusted networks, consisting of IP addresses or networks, that are allowed to bypass password protection when accessing Home Assistant.
- ip_ban_enabled (Optional): Flag indicating whether additional IP filtering is enabled. Defaults to False.
- login_attempts_threshold (Optional): Number of failed login attemt from single IP after which it will be automatically banned if
ip_ban_enabledis True. Defaults to -1, meaning that no new automatic bans will be added.
The sample below shows a configuration entry with possible values:
# Example configuration.yaml entry http: api_password: YOUR_PASSWORD server_port: 12345 ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem cors_allowed_origins: - https://google.com - https://home-assistant.io trusted_networks: - 127.0.0.1 - ::1 - 192.168.0.0/24 - 2001:DB8:ABCD::/48 ip_ban_enabled: True login_attempts_threshold: 5
http platforms are not real platforms within the meaning of the terminology used around Home Assistant. Home Assistant’s REST API sends and receives messages over HTTP.
To use those kind of sensors or binary sensors in your installation no configuration in Home Assistant is needed. All configuration is done on the devices themselves. This means that you must be able to edit the target URL or endpoint and the payload. The entity will be created after the first message has arrived.
All requests need to be sent to the endpoint of the device and must be POST.
If you want to use Home Assistant to host or serve static files then create a directory called
www under the
.homeassistant configuration path. The static files in
.homeassistant/www/ can be accessed by the following URL
If you want to apply additional IP filtering, and automatically ban bruteforce attempts, set
True and select number of attempts. After first ban file
ip_bans.yaml will be created in the root configuration folder. It will have IP address and time in UTC when it was added:
127.0.0.1: banned_at: '2016-11-16T19:20:03'
After a ban is added a Persistent Notification is populated to the Home Assistant frontend.
Please note, that sources from
trusted_networks won’t be banned automatically.