WelcomeBoard is designed to run on a local network behind your firewall. It does not include authentication or encryption by default. Do not expose it to the public internet without adding your own security layer (reverse proxy with auth, VPN, etc.).
If you discover a security vulnerability, please report it responsibly:
- Do not open a public issue
- Email the maintainer directly or use GitHub's private vulnerability reporting
- Include a description of the vulnerability and steps to reproduce
We will acknowledge receipt within 48 hours and work to address the issue promptly.
Security concerns relevant to WelcomeBoard include:
- SQL injection in API endpoints
- Cross-site scripting (XSS) in the display or admin panel
- Path traversal in static file serving or theme loading
- Sensitive data exposure (WiFi passwords in logs, API responses, etc.)
- Vulnerabilities in dependencies
- WiFi passwords are stored in the SQLite database and served via API. This is by design (the display needs them for QR codes). Keep the server on a trusted network.
- UniFi credentials are passed via environment variables, never stored in the database or committed to version control.
- No authentication is implemented. Anyone on your network can access the admin panel. If this is a concern, put a reverse proxy (nginx, Caddy, Traefik) with authentication in front of WelcomeBoard.