I have a persistent security warning on the Syncthing GUI interface for my Synology NAS. It reads as follows:
The Syncthing admin interface is configured to allow remote access without a password. This can easily give hackers access to read and change any files on your computer. Please set a GUI Authentication User and Password in the Settings dialog.
But my Syncthing listening IP address is set to 127.0.0.1 under both the settings GUI tab and in the config.xml file. I thought that I didn’t need a password with this address since this setting restricts access to the local computer only?
We don’t show that warning unless the UI is actually exposed on something else than localhost. From earlier discussions on this issue, I believe that we take the “usual measures” against XSS and those are deemed safe, as in there’s no known attack vectors - the attack surface remains obviously. Is my understanding wrong? Because if it is, a password shouldn’t be optional.