selfhosted
/
dashy
mirror of https://github.com/lissy93/dashy
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
dashy/docs/privacy/index.html

19 lines
48 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" dir="ltr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="generator" content="Docusaurus v2.0.0-beta.2">
<link rel="search" type="application/opensearchdescription+xml" title="Dashy" href="/opensearch.xml">
<script src="https://no-track.as93.net/js/script.js" defer="defer" data-domain="dashy.to"></script><title data-react-helmet="true">Privacy &amp; Security | Dashy</title><meta data-react-helmet="true" property="og:url" content="https://dashy.to/docs/privacy"><meta data-react-helmet="true" name="docsearch:language" content="en"><meta data-react-helmet="true" name="docsearch:version" content="current"><meta data-react-helmet="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Privacy &amp; Security | Dashy"><meta data-react-helmet="true" name="description" content="Dashy was built with privacy in mind."><meta data-react-helmet="true" property="og:description" content="Dashy was built with privacy in mind."><link data-react-helmet="true" rel="shortcut icon" href="/img/favicon.ico"><link data-react-helmet="true" rel="canonical" href="https://dashy.to/docs/privacy"><link data-react-helmet="true" rel="alternate" href="https://dashy.to/docs/privacy" hreflang="en"><link data-react-helmet="true" rel="alternate" href="https://dashy.to/docs/privacy" hreflang="x-default"><link data-react-helmet="true" rel="preconnect" href="https://BH4D9OD16A-dsn.algolia.net" crossorigin="anonymous"><link rel="stylesheet" href="/assets/css/styles.de060916.css">
<link rel="preload" href="/assets/js/runtime~main.ac7349e8.js" as="script">
<link rel="preload" href="/assets/js/main.d13b237a.js" as="script">
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"dark")}()</script><div id="__docusaurus">
<div><a href="#main" class="skipToContent_OuoZ">Skip to main content</a></div><nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Navigation bar toggle" class="navbar__toggle clean-btn" type="button" tabindex="0"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><img src="/img/dashy.png" alt="Dashy Logo" class="themedImage_TMUO themedImage--light_4Vu1 navbar__logo"><img src="/img/dashy.png" alt="Dashy Logo" class="themedImage_TMUO themedImage--dark_uzRr navbar__logo"><b class="navbar__title">Dashy</b></a><a href="https://github.com/lissy93/dashy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><a href="https://demo.dashy.to" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">Live Demo</a><a class="navbar__item navbar__link" href="/docs/quick-start">Quick Start</a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/docs">Documentation</a></div><div class="navbar__items navbar__items--right"><div class="react-toggle displayOnlyInLargeViewport_cxYs react-toggle--checked react-toggle--disabled"><div class="react-toggle-track" role="button" tabindex="-1"><div class="react-toggle-track-check"><span class="toggle_iYfV">🌙</span></div><div class="react-toggle-track-x"><span class="toggle_iYfV">☀️</span></div><div class="react-toggle-thumb"></div></div><input type="checkbox" checked="" class="react-toggle-screenreader-only" aria-label="Switch between dark and light mode"></div><div class="searchBox_Bc3W"><button type="button" class="DocSearch DocSearch-Button" aria-label="Search"><span class="DocSearch-Button-Container"><svg width="20" height="20" class="DocSearch-Search-Icon" viewBox="0 0 20 20" aria-hidden="true"><path d="M14.386 14.386l4.0877 4.0877-4.0877-4.0877c-2.9418 2.9419-7.7115 2.9419-10.6533 0-2.9419-2.9418-2.9419-7.7115 0-10.6533 2.9418-2.9419 7.7115-2.9419 10.6533 0 2.9419 2.9418 2.9419 7.7115 0 10.6533z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"></path></svg><span class="DocSearch-Button-Placeholder">Search</span></span><span class="DocSearch-Button-Keys"></span></button></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/"><img src="/img/dashy.png" alt="Dashy Logo" class="themedImage_TMUO themedImage--light_4Vu1 navbar__logo"><img src="/img/dashy.png" alt="Dashy Logo" class="themedImage_TMUO themedImage--dark_uzRr navbar__logo"><b class="navbar__title">Dashy</b></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a href="https://github.com/lissy93/dashy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li><li class="menu__list-item"><a href="https://demo.dashy.to" target="_blank" rel="noopener noreferrer" class="menu__link">Live Demo</a></li><li class="menu__list-item"><a class="menu__link" href="/docs/quick-start">Quick Start</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/docs">Documentation</a></li></ul></div></div></div></nav><div class="main-wrapper docs-wrapper doc-page"><div class="docPage_lDyR"><aside class="docSidebarContainer_0YBq"><div class="sidebar_LIo8"><nav class="menu menu--responsive thin-scrollbar menu_oAhv menuWithAnnouncementBar_IVfW" aria-label="Sidebar navigation"><button aria-label="Open menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg class="sidebarMenuIcon_nrF-" width="24" height="24" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#!">Running Dashy</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/quick-start">Quick Start</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/deployment">Deployment</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/configuring">Configuring</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/management">App Management</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/troubleshooting">Troubleshooting</a></li></ul></li><li class="menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#!">Feature Docs</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/icons">Icons</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/widgets">Widgets</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/theming">Theming</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/status-indicators">Status Indicators</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/authentication">Authentication</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/searching">Keyboard Shortcuts</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/alternate-views">Alternate Views &amp; Opening Methods</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/multi-language-support">Internationalization</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/backup-restore">Cloud Backup and Restore</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/pages-and-sections">Pages and Sections</a></li></ul></li><li class="menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/showcase">*Dashy Showcase* 🌟</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/contributing">Contributing</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/developing">Developing</a></li><li class="menu__list-item"><a class="menu__link" tabindex="-1" href="/docs/development-guides">Development Guides</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Misc</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/docs/privacy">Privacy &amp; Security</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/docs/changelog">Changelog</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/docs/license">license</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/docs/code-of-conduct">Contributor Covenant Code of Conduct</a></li></ul></li></ul></nav><div class="sidebar-ad"><script async="" src="//cdn.carbonads.com/carbon.js?serve=CWYIC53L&amp;placement=dashyto" id="_carbonads_js"></script></div></div></aside><main class="docMainContainer_r8cw"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_zHA2"><div class="docItemContainer_oiyr"><article><div class="markdown"><header><h1 class="h1Heading_dC7a">Privacy &amp; Security</h1></header><p>Dashy was built with privacy in mind.
Self-hosting your own apps and services is a great way to protect yourself from the mass data collection employed by big tech companies, and Dashy was designed to make self-hosting easier, by keeping your local services organized and accessible from a single place. The <a href="https://github.com/Lissy93/dashy/blob/master/docs/management.md" target="_blank" rel="noopener noreferrer">management docs</a> contains a though guide on the steps you can take to secure your homelab.</p><p>Dashy operates on the premise, that no external data requests should ever be made, unless explicitly enabled by the user. In the interest of transparency, the code is 100% open source and clearly documented throughout.</p><table><thead><tr><th>🔐 For privacy and security tips, check out another project of mine: <strong><a href="https://github.com/Lissy93/personal-security-checklist" target="_blank" rel="noopener noreferrer">Personal Security Checklist</a></strong></th></tr></thead></table><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="contents"></a>Contents<a class="hash-link" href="#contents" title="Direct link to heading">#</a></h2><ul><li><a href="#external-requests">External Requests</a><ul><li><a href="#icons">Icons</a></li><li><a href="#themes">Themes</a></li><li><a href="#widgets">Widgets</a></li><li><a href="#features">Features</a><ul><li><a href="#status-checking">Status Checking</a></li><li><a href="#update-checks">Update Checks</a></li><li><a href="#cloud-backup">Cloud Backup</a></li><li><a href="#web-search">Web Search</a></li><li><a href="#anonymous-error-reporting">Error Reporting</a></li></ul></li></ul></li><li><a href="#browser-storage">Browser Storage</a></li><li><a href="#dependencies">App Dependencies</a></li><li><a href="#security-features">Security Features</a></li><li><a href="#securing-your-environment">Securing your Environment</a></li><li><a href="#reporting-a-security-issue">Reporting a Security Issue</a></li></ul><hr><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="external-requests"></a>External Requests<a class="hash-link" href="#external-requests" title="Direct link to heading">#</a></h2><p>By default, Dashy will not make any external requests, unless you configure it to. Some features (which are off by default) do require internat access, and this section outlines those features, the services used, and links to their privacy policies.</p><p>The following section outlines all network requests that are made when certain features are enabled.</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="icons"></a>Icons<a class="hash-link" href="#icons" title="Direct link to heading">#</a></h3><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="font-awesome"></a>Font Awesome<a class="hash-link" href="#font-awesome" title="Direct link to heading">#</a></h4><p>If either any of your sections, items or themes are using icons from font-awesome, then it will be automatically enabled. But you can also manually enable or disable it by setting <code>appConfig.enableFontAwesome</code> to <code>true</code> / <code>false</code>. Requests are made directly to Font-Awesome CDN, for more info, see the <a href="https://fontawesome.com/privacy" target="_blank" rel="noopener noreferrer">Font Awesome Privacy Policy</a>.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="material-design-icons"></a>Material Design Icons<a class="hash-link" href="#material-design-icons" title="Direct link to heading">#</a></h4><p>If either any of your sections, items or themes are mdi icons, then it will be automatically enabled. But you can also manually enable or disable it by setting <code>appConfig.enableMaterialDesignIcons</code> to <code>true</code> / <code>false</code>. Requests are made directly to Material-Design-Icons CDN, for more info, see the <a href="https://materialdesignicons.com/" target="_blank" rel="noopener noreferrer">Material Design Icons Website</a>.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="favicon-fetching"></a>Favicon Fetching<a class="hash-link" href="#favicon-fetching" title="Direct link to heading">#</a></h4><p>If an item&#x27;s icon is set to <code>favicon</code>, then it will be auto-fetched from the corresponding URL. Since not all websites have their icon located at <code>/favicon.ico</code>, and if they do, it&#x27;s often very low resolution (like <code>16 x 16 px</code>). Therefore, the default behavior is for Dashy to check if the URL is public, and if so will use an API to fetch the favicon. For self-hosted services, the favicon will be fetched from the default path, and no external requests will be made.</p><p>The default favicon API is <a href="https://favicon.allesedv.com/" target="_blank" rel="noopener noreferrer">allesedv.com</a>, but this can be changed by setting <code>appConfig.faviconApi</code> to an alternate source (<code>iconhorse</code>, <code>clearbit</code>, <code>faviconkit</code>, <code>besticon</code>, <code>duckduckgo</code>, <code>google</code> and <code>allesedv</code> are supported). If you do not want to use any API, then you can set this property to <code>local</code>, and the favicon will be fetched from the default path. For hosted services, this will still incur an external request.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="generative-icons"></a>Generative Icons<a class="hash-link" href="#generative-icons" title="Direct link to heading">#</a></h4><p>If an item has the icon set to <code>generative</code>, then an external request it made to <a href="https://dicebear.com/" target="_blank" rel="noopener noreferrer">Dice Bear</a> to fetch the uniquely generated icon. The URL of a given service is used as the key for generating the icon, but it is first hashed and encoded for basic privacy. For more info, please reference the <a href="https://avatars.dicebear.com/legal/privacy-policy" target="_blank" rel="noopener noreferrer">Dicebear Privacy Policy</a></p><p>As a fallback, if Dicebear fails, then <a href="https://evatar.io/" target="_blank" rel="noopener noreferrer">Evatar</a> is used.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="other-icons"></a>Other Icons<a class="hash-link" href="#other-icons" title="Direct link to heading">#</a></h4><p>Section icons, item icons and app icons are able to accept a URL to a raw image, if the image is hosted online then an external request will be made. To avoid the need to make external requests for icon assets, you can either use a self-hosted CDN, or store your images within <code>./public/item-icons</code> (which can be mounted as a volume if you&#x27;re using Docker).</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="web-assets"></a>Web Assets<a class="hash-link" href="#web-assets" title="Direct link to heading">#</a></h4><p>By default, all assets required by Dashy come bundled within the source, and so no external requests are made. If you add an additional font, which is imported from a CDN, then that will incur an external request. The same applies for other web assets, like external images, scripts or styles.</p><hr><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="features"></a>Features<a class="hash-link" href="#features" title="Direct link to heading">#</a></h3><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="status-checking"></a>Status Checking<a class="hash-link" href="#status-checking" title="Direct link to heading">#</a></h4><p>The status checking feature allows you to ping your apps/ services to check if they are currently operational.</p><p>Dashy will ping your services directly, and does not rely on any third party. If you are checking the uptime status of a public/ hosted application, then please refer to that services privacy policy. For all self-hosted services, requests happen locally within your network, and are not external.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="update-checks"></a>Update Checks<a class="hash-link" href="#update-checks" title="Direct link to heading">#</a></h4><p>When the application loads, it checks for updates. The results of which are displayed in the config menu of the UI. This was implemented because using a very outdated version of Dashy may have unfixed issues. Your version is fetched from the source (local request), but the latest version is fetched from GitHub, which is an external request. This can be disabled by setting <code>appConfig.disableUpdateChecks: true</code></p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="cloud-backup"></a>Cloud Backup<a class="hash-link" href="#cloud-backup" title="Direct link to heading">#</a></h4><p>Dashy has an optional End-to-End encrypted <a href="https://github.com/Lissy93/dashy/blob/master/docs/backup-restore.md" target="_blank" rel="noopener noreferrer">cloud backup feature</a>. No data is ever transmitted unless you actively enable this feature through the UI.</p><p>All data is encrypted before being sent to the backend. This is done in <a href="https://github.com/Lissy93/dashy/blob/master/src/utils/CloudBackup.js" target="_blank" rel="noopener noreferrer"><code>CloudBackup.js</code></a>, using <a href="https://github.com/brix/crypto-js" target="_blank" rel="noopener noreferrer">crypto.js</a>&#x27;s AES method, using the users chosen password as the key. The data is then sent to a <a href="https://developers.cloudflare.com/workers/learning/how-workers-works" target="_blank" rel="noopener noreferrer">Cloudflare worker</a> (a platform for running serverless functions), and stored in a <a href="https://developers.cloudflare.com/workers/learning/how-kv-works" target="_blank" rel="noopener noreferrer">KV</a> data store.</p><p>Your selected password never leaves your device, and is hashed before being compared. It is only possible to restore a configuration if you have both the backup ID and decryption password. Because the data is encrypted on the client-side (before being sent to the cloud), it is not possible for a man-in-the-middle, government entity, website owner, or even Cloudflare to be able read any of your data.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="web-search"></a>Web Search<a class="hash-link" href="#web-search" title="Direct link to heading">#</a></h4><p>Dashy has a primitive <a href="https://github.com/Lissy93/dashy/blob/master/docs/searching.md#web-search" target="_blank" rel="noopener noreferrer">web search feature</a>. No external requests are made, instead you are redirected to your chosen search engine (defaults to DuckDuckGo), using your chosen opening method.</p><p>This feature can be disabled under appConfig, with <code>webSearch: { disableWebSearch: true }</code></p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="anonymous-error-reporting"></a>Anonymous Error Reporting<a class="hash-link" href="#anonymous-error-reporting" title="Direct link to heading">#</a></h4><p>Error reporting is disabled by default, and no data will ever be sent without your explicit consent. In fact, the error tracking code isn&#x27;t even imported unless you have actively enabled it. <a href="https://github.com/getsentry/sentry" target="_blank" rel="noopener noreferrer">Sentry</a> is used for this, it&#x27;s an open source error tracking and performance monitoring tool, used to identify any issues which occur in the production app (if you enable it).</p><p>The crash report includes the file or line of code that triggered the error, and a 2-layer deep stack trace. Reoccurring errors will also include the following user information: OS type (Mac, Windows, Linux, Android or iOS) and browser type (Firefox, Chrome, IE, Safari). Data scrubbing is enabled. IP address will not be stored. If any potentially identifiable data ever finds its way into a crash report, it will be automatically and permanently erased. All statistics collected are anonymized and stored securely, and ae automatically deleted after 14 days. For more about privacy and security, see the <a href="https://sentry.io/security/" target="_blank" rel="noopener noreferrer">Sentry Docs</a>.</p><p>Enabling anonymous error reporting helps me to discover bugs I was unaware of, and then fix them, in order to make Dashy more reliable long term. Error reporting is activated by setting <code>appConfig.enableErrorReporting: true</code>.</p><p>If you need to monitor bugs yourself, then you can <a href="https://develop.sentry.dev/self-hosted/" target="_blank" rel="noopener noreferrer">self-host your own Sentry Server</a>, and use it by setting <code>appConfig.sentryDsn</code> to your Sentry instances <a href="https://docs.sentry.io/product/sentry-basics/dsn-explainer/" target="_blank" rel="noopener noreferrer">Data Source Name</a>, then just enable error reporting in Dashy.</p><hr><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="themes"></a>Themes<a class="hash-link" href="#themes" title="Direct link to heading">#</a></h3><p>Certain themes may use external assets (such as fonts or images). Currently, this only applies the Adventure theme.</p><hr><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="widgets"></a>Widgets<a class="hash-link" href="#widgets" title="Direct link to heading">#</a></h3><p>Dashy supports <a href="/docs/widgets">Widgets</a> for displaying dynamic content. Below is a list of all widgets that make external data requests, along with the endpoint they call and a link to the Privacy Policy of that service.</p><ul><li><strong><a href="/docs/widgets#weather">Weather</a></strong> and <strong><a href="/docs/widgets#weather-forecast">Weather Forecast</a></strong>: <code>https://api.openweathermap.org</code><ul><li><a href="https://openweather.co.uk/privacy-policy" target="_blank" rel="noopener noreferrer">OWM Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#rss-feed">RSS Feed</a></strong>: <code>https://api.rss2json.com/v1/api.json</code><ul><li><a href="https://rss2json.com/privacy-policy" target="_blank" rel="noopener noreferrer">Rss2Json Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#public-ip">IP Address</a></strong>: <code>https://ipapi.co/json</code> or <code>http://ip-api.com/json</code><ul><li><a href="https://ipgeolocation.io/privacy.html" target="_blank" rel="noopener noreferrer">IPGeoLocation Privacy Policy</a></li><li><a href="https://ip-api.com/docs/legal" target="_blank" rel="noopener noreferrer">IP-API Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#ip-blacklist">IP Blacklist</a></strong>: <code>https://api.blacklistchecker.com</code><ul><li><a href="https://blacklistchecker.com/privacy" target="_blank" rel="noopener noreferrer">Blacklist Checker Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#domain-monitor">Domain Monitor</a></strong>: <code>http://api.whoapi.com</code><ul><li><a href="https://whoapi.com/privacy-policy/" target="_blank" rel="noopener noreferrer">WhoAPI Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#crypto-watch-list">Crypto Watch List</a></strong> and <strong><a href="/docs/widgets#crypto-token-price-history">Token Price History</a></strong>: <code>https://api.coingecko.com</code><ul><li><a href="https://www.coingecko.com/en/privacy" target="_blank" rel="noopener noreferrer">CoinGecko Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#wallet-balance">Wallet Balance</a></strong>: <code>https://api.blockcypher.com/</code><ul><li><a href="https://www.blockcypher.com/privacy.html" target="_blank" rel="noopener noreferrer">BlockCypher Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#code-stats">Code::Stats</a></strong>: <code>https://codestats.net</code><ul><li><a href="https://codestats.net/tos#privacy" target="_blank" rel="noopener noreferrer">Code::Stats Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#anonaddy">AnonAddy</a></strong>: <code>https://app.anonaddy.com</code><ul><li><a href="https://anonaddy.com/privacy/" target="_blank" rel="noopener noreferrer">AnonAddy Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#vulnerability-feed">Vulnerability Feed</a></strong>: <code>https://www.cvedetails.com</code><ul><li><a href="https://www.cvedetails.com/privacy.php" target="_blank" rel="noopener noreferrer">CVE Details Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#exchange-rates">Exchange Rate</a></strong>: <code>https://v6.exchangerate-api.com</code><ul><li><a href="https://www.exchangerate-api.com/terms" target="_blank" rel="noopener noreferrer">ExchangeRateAPI Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#public-holidays">Public Holidays</a></strong>: <code>https://kayaposoft.com</code><ul><li><a href="https://github.com/jurajmajer/enrico" target="_blank" rel="noopener noreferrer">jurajmajer/enrico</a></li></ul></li><li><strong><a href="/docs/widgets#covid-19-status">Covid-19 Status</a></strong>: <code>https://codestats.net</code><ul><li><a href="https://github.com/disease-sh/api" target="_blank" rel="noopener noreferrer">disease-sh/api</a></li></ul></li><li><strong><a href="/docs/widgets#sports-scores">Sports Scores</a></strong>: <code>https://thesportsdb.com</code><ul><li>No Policy Available</li></ul></li><li><strong><a href="/docs/widgets#news-headlines">News Headlines</a></strong>: <code>https://api.currentsapi.services</code><ul><li><a href="https://currentsapi.services/privacy" target="_blank" rel="noopener noreferrer">CurrentsAPI Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#mullvad-status">Mullvad Status</a></strong>: <code>https://am.i.mullvad.net</code><ul><li><a href="https://mullvad.net/en/help/privacy-policy/" target="_blank" rel="noopener noreferrer">Mullvad Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#tfl-status">TFL Status</a></strong>: <code>https://api.tfl.gov.uk</code><ul><li><a href="https://tfl.gov.uk/corporate/privacy-and-cookies/" target="_blank" rel="noopener noreferrer">TFL Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#stock-price-history">Stock Price History</a></strong>: <code>https://alphavantage.co</code><ul><li><a href="https://www.alphavantage.co/privacy/" target="_blank" rel="noopener noreferrer">AlphaVantage Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#eth-gas-prices">ETH Gas Prices</a></strong>: <code>https://ethgas.watch</code><ul><li><a href="https://github.com/wslyvh/ethgaswatch" target="_blank" rel="noopener noreferrer">wslyvh/ethgaswatch</a></li></ul></li><li><strong><a href="/docs/widgets#joke">Joke</a></strong>: <code>https://v2.jokeapi.dev</code><ul><li><a href="https://sv443.net/privacypolicy/en" target="_blank" rel="noopener noreferrer">SV443&#x27;s Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#flight-data">Flight Data</a></strong>: <code>https://aerodatabox.p.rapidapi.com</code><ul><li><a href="https://www.aerodatabox.com/#h.p_CXtIYZWF_WQd" target="_blank" rel="noopener noreferrer">AeroDataBox Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#astronomy-picture-of-the-day">Astronomy Picture of the Day</a></strong>: <code>https://apodapi.herokuapp.com</code><ul><li><a href="https://www.nasa.gov/about/highlights/HP_Privacy.html" target="_blank" rel="noopener noreferrer">NASA&#x27;s Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#github-trending">GitHub Trending</a></strong> and <strong><a href="/docs/widgets#github-profile-stats">GitHub Profile Stats</a></strong>: <code>https://api.github.com</code><ul><li><a href="https://docs.github.com/en/github/site-policy/github-privacy-statement" target="_blank" rel="noopener noreferrer">GitHub&#x27;s Privacy Policy</a></li></ul></li><li><strong><a href="/docs/widgets#cron-monitoring-health-checks">Cron Monitoring (Health Checks)</a></strong>: <code>https://healthchecks.io</code><ul><li><a href="https://healthchecks.io/privacy/" target="_blank" rel="noopener noreferrer">Health-Checks Privacy Policy</a></li></ul></li></ul><hr><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="browser-storage"></a>Browser Storage<a class="hash-link" href="#browser-storage" title="Direct link to heading">#</a></h2><p>In order for user preferences to be persisted between sessions, certain data needs to be stored in the browsers local storage. No personal info is kept here, none of this data can be accessed by other domains, and no data is ever sent to any server without your prior consent.</p><p>You can view and delete stored data by opening up the dev tools: <kbd>F12</kbd> --&gt; <code>Application</code> --&gt; <code>Storage</code>.</p><p>The following section outlines all data that is stored in the browsers, as cookies, session storage or local storage.</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="cookies"></a>Cookies<a class="hash-link" href="#cookies" title="Direct link to heading">#</a></h3><blockquote><p><a href="https://en.wikipedia.org/wiki/HTTP_cookie" target="_blank" rel="noopener noreferrer">Cookies</a> will expire after their pre-defined lifetime</p></blockquote><ul><li><code>AUTH_TOKEN</code> - A unique token, generated from a hash of users credentials, to verify they are authenticated. Only used when auth is enabled.</li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="session-storage"></a>Session Storage<a class="hash-link" href="#session-storage" title="Direct link to heading">#</a></h3><blockquote><p><a href="https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage" target="_blank" rel="noopener noreferrer">Session storage</a> is deleted when the current session ends (tab / window is closed)</p></blockquote><ul><li><code>SW_STATUS</code> - The current status of any service workers</li><li><code>ERROR_LOG</code> - List of recent errors</li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="local-storage"></a>Local Storage<a class="hash-link" href="#local-storage" title="Direct link to heading">#</a></h3><blockquote><p><a href="https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage" target="_blank" rel="noopener noreferrer">Local storage</a> is persisted between sessions, and only deleted when manually removed</p></blockquote><ul><li><code>LANGUAGE</code> - The locale to show app text in</li><li><code>HIDE_WELCOME_BANNER</code> - Set to true once user dismissed welcome message, so that it&#x27;s not shown again</li><li><code>LAYOUT_ORIENTATION</code> - Preferred section layout, either horizontal, vertical or auto</li><li><code>COLLAPSE_STATE</code> - Remembers which sections are collapsed</li><li><code>ICON_SIZE</code> - Size of items, either small, medium or large</li><li><code>THEME</code> - Users applied theme</li><li><code>CUSTOM_COLORS</code> - Any color modifications made to a given theme</li><li><code>BACKUP_ID</code> - If a backup has been made, the ID is stored here</li><li><code>BACKUP_HASH</code> - A unique hash of the previous backups meta data</li><li><code>HIDE_SETTINGS</code> - Lets user hide or show the settings menu</li><li><code>USERNAME</code> - If user logged in, store username. Only used to show welcome message, not used for auth</li><li><code>CONF_SECTIONS</code> - Array of sections, only used when user applies changes locally</li><li><code>PAGE_INFO</code> - Config page info, only used when user applies changes locally</li><li><code>APP_CONFIG</code> - App config, only used when user applies changes locally</li><li><code>MOST_USED</code> - If smart sort is used to order items by most used, store open count</li><li><code>LAST_USED</code> - If smart sort is used to order items by last used, store timestamps</li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="deleting-stored-data"></a>Deleting Stored Data<a class="hash-link" href="#deleting-stored-data" title="Direct link to heading">#</a></h3><p>You can manually view and delete session storage, local storage and cookies at anytime. Fist <a href="/docs/troubleshooting#how-to-open-browser-console">open</a> your browsers developer tools (usually <kbd>F12</kbd>), then under the Application tab select the storage category. Here you will see a list of stored data, and you can select any item and delete it.</p><hr><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="dependencies"></a>Dependencies<a class="hash-link" href="#dependencies" title="Direct link to heading">#</a></h2><p>As with most web projects, Dashy relies on several <a href="https://github.com/Lissy93/dashy/blob/master/docs/credits.md#dependencies-" target="_blank" rel="noopener noreferrer">dependencies</a>. For links to each, and a breakdown of their licenses, please see <a href="https://github.com/Lissy93/dashy/blob/master/.github/LEGAL.md" target="_blank" rel="noopener noreferrer">Legal</a>.</p><p>Dependencies can introduce security vulnerabilities, but since all these packages are open source any issues are usually very quickly spotted. Dashy is using Snyk for dependency security monitoring, and you can see <a href="https://snyk.io/test/github/lissy93/dashy" target="_blank" rel="noopener noreferrer">the latest report here</a>. If any issue is detected by Snyk, a note about it will appear at the top of the Readme, and will usually be fixed within 48 hours.</p><p>Note that packages listed under <code>devDependencies</code> section are only used for building the project, and are not included in the production environment.</p><hr><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="securing-your-environment"></a>Securing your Environment<a class="hash-link" href="#securing-your-environment" title="Direct link to heading">#</a></h2><p>Running your self-hosted applications in individual, containerized environments (such as containers or VMs) helps keep them isolated, and prevent an exploit in one service effecting another.</p><p>If you&#x27;re running Dashy in a container, see <a href="https://github.com/Lissy93/dashy/blob/master/docs/management.md#container-security" target="_blank" rel="noopener noreferrer">Management Docs --&gt; Container Security</a> for step-by-step security guide.</p><p>There is very little complexity involved with Dashy, and therefore the attack surface is reasonably small, but it is still important to follow best practices and employ monitoring for all your self-hosted apps. A couple of things that you should look at include:</p><ul><li>Use SSL for securing traffic in transit</li><li>Configure <a href="/docs/authentication#alternative-authentication-methods">authentication</a> to prevent unauthorized access</li><li>Keep your system, software and Dashy up-to-date</li><li>Ensure your server is appropriately secured</li><li>Manage users and SSH correctly</li><li>Enable and configure firewall rules</li><li>Implement security, malware and traffic scanning</li><li>Setup malicious traffic detection</li><li>Understand the <a href="https://docs.docker.com/engine/security/" target="_blank" rel="noopener noreferrer">Docker attack fronts</a>, and follow <a href="https://snyk.io/blog/10-docker-image-security-best-practices/" target="_blank" rel="noopener noreferrer">Docker Security Best Practices</a></li></ul><p>This is covered in more detail in <a href="/docs/management">App Management</a>.</p><hr><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="security-features"></a>Security Features<a class="hash-link" href="#security-features" title="Direct link to heading">#</a></h2><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="subresource-integrity"></a>Subresource Integrity<a class="hash-link" href="#subresource-integrity" title="Direct link to heading">#</a></h3><p><a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity" target="_blank" rel="noopener noreferrer">Subresource Integrity</a> or SRI is a security feature that enables browsers to verify that resources they fetch are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match. This prevents the app from loading any resources that have been manipulated, by verifying the files hashes. It safeguards against the risk of an attacker injecting arbitrary malicious content into any files served up via a CDN.</p><p>Dashy supports SRI, and it is recommended to enable this if you are hosting your dashboard via a public CDN. To enable SRI, set the <code>INTEGRITY</code> environmental variable to <code>true</code>.</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="ssl"></a>SSL<a class="hash-link" href="#ssl" title="Direct link to heading">#</a></h3><p>Native SSL support is enabled, for setup instructions, see the <a href="/docs/management#ssl-certificates">Management Docs</a></p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="authentication"></a>Authentication<a class="hash-link" href="#authentication" title="Direct link to heading">#</a></h3><p>Dashy supports both basic auth, as well as server-based SSO using Keycloak. Full details of which, along with alternate authentication methods can be found in the <a href="/docs/authentication">Authentication Docs</a>. If your dashboard is exposed to the internet and/ or contains any sensitive info it is strongly recommended to configure access control with Keycloak or another server-side method.</p><hr><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="disabling-features"></a>Disabling Features<a class="hash-link" href="#disabling-features" title="Direct link to heading">#</a></h2><p>You may wish to disable features that you don&#x27;t want to use, if they involve storing data in the browser or making network requests.</p><ul><li>To disable smart-sort (uses local storage), set <code>appConfig.disableSmartSort: true</code></li><li>To disable update checks (makes external request to GH), set <code>appConfig.disableUpdateChecks: true</code></li><li>To disable web search (redirect to external / internal content), set <code>appConfig.disableWebSearch: true</code></li><li>To keep status checks disabled (external/ internal requests), set <code>appConfig.statusCheck: false</code></li><li>To keep font-awesome icons disabled (external requests), set <code>appConfig.enableFontAwesome: false</code></li><li>To keep error reporting disabled (external requests and data collection), set <code>appConfig.enableErrorReporting: false</code></li><li>To keep the service worker disabled (stores cache of app in browser data), set <code>appConfig.enableServiceWorker: false</code></li></ul><hr><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_WiXH" id="reporting-a-security-issue"></a>Reporting a Security Issue<a class="hash-link" href="#reporting-a-security-issue" title="Direct link to heading">#</a></h2><p>If you think you&#x27;ve found a critical issue with Dashy, please send an email to <code>security@mail.alicia.omg.lol</code>. You can encrypt it, using <a href="https://keybase.io/aliciasykes/pgp_keys.asc?fingerprint=0688f8d34587d954e9e51fb8fedb68f55c0283a7" target="_blank" rel="noopener noreferrer"><code>0688 F8D3 4587 D954 E9E5 1FB8 FEDB 68F5 5C02 83A7</code></a>. You should receive a response within 48 hours. For more information, see <a href="https://github.com/Lissy93/dashy/blob/master/.github/SECURITY.md" target="_blank" rel="noopener noreferrer">SECURITY.md</a>.</p><p>All non-critical issues can be raised as a ticket.</p><p>Please include the following information:</p><ul><li>Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)</li><li>Full paths of source file(s) related to the manifestation of the issue</li><li>The location of the affected source code (tag/branch/commit or direct URL)</li><li>Any special configuration required to reproduce the issue</li><li>Step-by-step instructions to reproduce the issue</li><li>Proof-of-concept or exploit code (if possible)</li><li>Impact of the issue, including how an attacker might exploit the issue</li></ul></div><footer class="row docusaurus-mt-lg"><div class="col"><a href="https://github.com/Lissy93/dashy/edit/gh-pages/docs/docs/privacy.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_mS5F" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_wj+Z"></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/docs/development-guides"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Development Guides</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/docs/changelog"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Changelog »</div></a></div></nav></div></div><div class="col col--3"><div class="tableOfContents_vrFS thin-scrollbar"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#contents" class="table-of-contents__link">Contents</a></li><li><a href="#external-requests" class="table-of-contents__link">External Requests</a><ul><li><a href="#icons" class="table-of-contents__link">Icons</a></li><li><a href="#features" class="table-of-contents__link">Features</a></li><li><a href="#themes" class="table-of-contents__link">Themes</a></li><li><a href="#widgets" class="table-of-contents__link">Widgets</a></li></ul></li><li><a href="#browser-storage" class="table-of-contents__link">Browser Storage</a><ul><li><a href="#cookies" class="table-of-contents__link">Cookies</a></li><li><a href="#session-storage" class="table-of-contents__link">Session Storage</a></li><li><a href="#local-storage" class="table-of-contents__link">Local Storage</a></li><li><a href="#deleting-stored-data" class="table-of-contents__link">Deleting Stored Data</a></li></ul></li><li><a href="#dependencies" class="table-of-contents__link">Dependencies</a></li><li><a href="#securing-your-environment" class="table-of-contents__link">Securing your Environment</a></li><li><a href="#security-features" class="table-of-contents__link">Security Features</a><ul><li><a href="#subresource-integrity" class="table-of-contents__link">Subresource Integrity</a></li><li><a href="#ssl" class="table-of-contents__link">SSL</a></li><li><a href="#authentication" class="table-of-contents__link">Authentication</a></li></ul></li><li><a href="#disabling-features" class="table-of-contents__link">Disabling Features</a></li><li><a href="#reporting-a-security-issue" class="table-of-contents__link">Reporting a Security Issue</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="row footer__links"><div class="col footer__col"><div class="footer__title">Intro</div><ul class="footer__items"><li class="footer__item"><a href="https://github.com/lissy93/dashy" target="_blank" rel="noopener noreferrer" class="footer__link-item">GitHub</a></li><li class="footer__item"><a href="https://demo.dashy.to" target="_blank" rel="noopener noreferrer" class="footer__link-item">Live Demo</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/quick-start">Quick Start</a></li><li class="footer__item"><a class="footer__link-item" href="/docs">Documentation</a></li></ul></div><div class="col footer__col"><div class="footer__title">Setup Guide</div><ul class="footer__items"><li class="footer__item"><a class="footer__link-item" href="/docs/deployment">Deploying</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/configuring">Configuring</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/management">Management</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/troubleshooting">Troubleshooting</a></li></ul></div><div class="col footer__col"><div class="footer__title">Feature Docs Pt 1</div><ul class="footer__items"><li class="footer__item"><a class="footer__link-item" href="/docs/authentication">Authentication</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/alternate-views">Alternate Views</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/backup-restore">Backup &amp; Restore</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/icons">Icons</a></li></ul></div><div class="col footer__col"><div class="footer__title">Feature Docs Pt 2</div><ul class="footer__items"><li class="footer__item"><a class="footer__link-item" href="/docs/multi-language-support">Language Switching</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/status-indicators">Status Indicators</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/searching">Searching &amp; Shortcuts</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/theming">Theming</a></li></ul></div><div class="col footer__col"><div class="footer__title">Community</div><ul class="footer__items"><li class="footer__item"><a class="footer__link-item" href="/docs/developing">Developing</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/development-guides">Development Guides</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/contributing">Contributing</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/showcase">Showcase</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/credits">Credits</a></li></ul></div><div class="col footer__col"><div class="footer__title">Misc</div><ul class="footer__items"><li class="footer__item"><a class="footer__link-item" href="/docs/privacy">Privacy &amp; Security</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/license">License</a></li><li class="footer__item"><a href="https://github.com/Lissy93/dashy/blob/master/.github/LEGAL.md" target="_blank" rel="noopener noreferrer" class="footer__link-item">Legal</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/code-of-conduct">Code of Conduct</a></li><li class="footer__item"><a class="footer__link-item" href="/docs/changelog">Changelog</a></li></ul></div></div><div class="footer__bottom text--center"><div class="footer__copyright"><a href="https://dashy.to">Dashy</a> - The Self-Hosted Dashboard for your Homelab<br>License under <a href="https://github.com/Lissy93/dashy/blob/master/LICENSE">MIT</a>. Copyright © 2024 <a href="https://aliciasykes.com">Alicia Sykes</a></div></div></div></footer></div>
<script src="/assets/js/runtime~main.ac7349e8.js"></script>
<script src="/assets/js/main.d13b237a.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink