Dear users of Syncthing,
By default, the web GUI only listens for connections from localhost (
::1 for ipv6).
If you decide to change this to make it listen to the whole world (for example, 0.0.0.0), then make sure you set up a username, password and HTTPS.
Otherwise, anybody can connect to your server and do anything they want with your Syncthing. This includes editing or deleting your files, impersonating you to other Syncthing users in your network, filling up your computer’s storage, etc.
This setting is configured in the “GUI Listen Addresses” of the web-based configuration menu, or the
<gui> element of config.xml:
If you want to be able to access your web GUI remotely without a username and password, you should use SSH port forwarding like this:
$ ssh -L 9384:127.0.0.1:8384 my_remote_hostname