ConfigurationsManager serves its Web UI and API over plain HTTP by default.
That means:
- Password fields are masked in the UI (displayed as
***). - When a user sets or changes a password in the WebUI, it is transmitted to the ESP32 in cleartext over HTTP.
- UI masking prevents accidental shoulder-surfing and avoids leaking stored secrets through normal UI rendering.
- Transport security: HTTP traffic can be sniffed/modified on untrusted networks.
- Storage security: passwords are stored in plaintext in ESP32 NVS/Preferences (so the device can actually use them).
- Physical access: anyone with physical access to the device can potentially extract stored values.
At the moment, ConfigurationsManager does not provide an on-device HTTPS server. The built-in Web UI and API are served via plain HTTP.
If you need HTTPS/TLS, the recommended approach is to terminate TLS externally (e.g. a reverse proxy, VPN, or other trusted network boundary) and forward requests to the device over HTTP.
- Use the UI only on a trusted network.
- If you need TLS, provide it externally (e.g. VPN, WiFi isolation + trusted clients, or a reverse proxy that terminates HTTPS).
- Treat OTA/MQTT passwords as sensitive and keep them unique per device/project.
| Method | Overloads / Variants | Description | Notes |
|---|---|---|---|
ConfigManager.setSettingsPassword |
setSettingsPassword(const String& password) |
Sets password protection for Settings UI actions. | Use strong unique credentials. |
ConfigManager.setupOTA |
setupOTA(const String& hostname, const String& password = "") |
Configures OTA credentials and host identity. | Keep OTA restricted to trusted networks. |