Web GUI open to the entire world

Sorry, just saw this thread:

…and spontaneously panicked somewhat.

For the “non power user” that I am and who tends to break things out of ignorance – how do I check and make sure that I haven’t accidentally made the mistake to have given the whole world access to my files?

That thread is over 4 years old, stuff has changed since then. Nowadays, syncthing displays a big red warning banner if the GUI is not listening on localhost without any password set.

The address the GUI is listening on can be seen in the GUI under Actions -> Settings -> GUI -> GUI Listen Address. Something like 127.0.0.1 or ‘localhost’ means that the GUI is only accessible locally.

However, that setting may be overriden by startup options - in that case, a yellow warning is displayed above the Listen Address field. The actual address used is printed on startup in the log, something like this:

INFO: GUI and API listening on 127.0.0.1:8384

In any case, you may configure username and password to restrict access, even if the GUI is only accessible locally. In that case using HTTPS (TLS) is recommended too so that password-sniffing attacks are avoided.

1 Like

Thank you – will check that as soon as I am at the device again, and report back what I found.