[sbecker]

Caprover is nice and convenient but security wise, only a single password field is required on the admin console. (See demo here: https://captain.server.demo.caprover.com/#/login) Given this it would be nice to at least make the web admin console only accessible via an IP whitelist, but last time I used it I did not find an easy way to do that.

[indigodaddy]

Can you not firewall the relevant admin webui port?

[wilsonfiifi]

The admin webui runs on the captain sub-domain so i'm not too sure if that can be firewalled.

[indigodaddy]

How does any of that matter? Firewall the relevant port so that it only allows your connecting IP.

[paulgb]

I haven’t used it but it appears to serve everything over the same port. You could block it with a reverse proxy but not with a firewall or layer 4 proxy.

[jtsiskin]

Make a 256 bit password. Problem solved?