Skip to content

Security

Jump to bottom
blycr edited this page Feb 6, 2026 · 1 revision

Security Guide

MSP provides practical LAN-focused access control via IP filtering and PIN authentication.

Security Model

  • Client IP source: RemoteAddr only.
  • Proxy headers such as X-Forwarded-For and X-Real-IP are ignored in home mode.
  • Session cookie: msp_session, HttpOnly, SameSite=Lax, Secure=false (LAN HTTP default).

Configuration

{
  "security": {
    "ipWhitelist": ["127.0.0.1", "192.168.1.0/24"],
    "ipBlacklist": [],
    "pinEnabled": true,
    "pin": "1234"
  }
}

Behavior

  1. IP whitelist is checked first (if configured).
  2. IP blacklist has higher priority and always denies matching clients.
  3. If pinEnabled=true, API requests require a valid session token:
    • Header: X-Session-Token
    • Cookie: msp_session

PIN API

  • Endpoint: POST /api/pin
  • Request body:
{ "pin": "1234" }
  • Response:
{ "valid": true, "enabled": true }

Recommendations

  • Home LAN: use at least a whitelist or PIN.
  • Public network exposure is not recommended by default.
  • Config supports hot reload; most changes apply in about 2 seconds.

GitHub Repository | Issues | Releases

© 2024-2026 MSP Project. Licensed under MIT.

English

中文文档

Clone this wiki locally