[GH-ISSUE #1532] Web UI should serve blank page when disabled #1079

New issue

Closed

opened 2026-05-07 00:30:06 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:30:06 +02:00

Owner

Originally created by @NathanSweet on GitHub (Jan 4, 2026).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1532

With no web UI, ntfy serves up HTML, JavaScript, and CSS that makes it obvious ntfy is running on the port. Even the page title is "ntfy web". This gives an attacker a lot of information.

Can it serve a blank page instead? Ideally with a 404 header. With no web UI, nothing should be there.

Also favicon.ico and apple-touch-icon.png shouldn't be served. I would like only the endpoints without any trace of ntfy or the web UI.

Hiding this information isn't security, but there is no reason to explicitly tell an attacker exactly what is running. With the web UI disabled, there should be no trace of it.

Originally created by @NathanSweet on GitHub (Jan 4, 2026). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1532 With no web UI, ntfy serves up HTML, JavaScript, and CSS that makes it obvious ntfy is running on the port. Even the page title is "ntfy web". This gives an attacker a lot of information. Can it serve a blank page instead? Ideally with a 404 header. With no web UI, nothing should be there. Also `favicon.ico` and `apple-touch-icon.png` shouldn't be served. I would like only the endpoints without any trace of ntfy or the web UI. Hiding this information isn't security, but there is no reason to explicitly tell an attacker exactly what is running. With the web UI disabled, there should be no trace of it.

BreizhHardware

2026-05-07 00:30:06 +02:00

closed this issue
added the
enhancement
label

BreizhHardware commented

2026-05-07 00:30:06 +02:00

Author

Owner

@binwiederhier commented on GitHub (Jan 4, 2026):

This isn't quite accurate. Your browser cache is showing cached stuff.

curl -v http://localhost:2586/
* Host localhost:2586 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:2586...
* Connected to localhost (::1) port 2586
> GET / HTTP/1.1
> Host: localhost:2586
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Access-Control-Allow-Origin: *
< Content-Type: application/json
< Date: Sun, 04 Jan 2026 20:00:22 GMT
< Content-Length: 51
< 
{"code":40401,"http":404,"error":"page not found"}
* Connection #0 to host localhost left intact

@binwiederhier commented on GitHub (Jan 4, 2026): This isn't quite accurate. Your browser cache is showing cached stuff. ``` curl -v http://localhost:2586/ * Host localhost:2586 was resolved. * IPv6: ::1 * IPv4: 127.0.0.1 * Trying [::1]:2586... * Connected to localhost (::1) port 2586 > GET / HTTP/1.1 > Host: localhost:2586 > User-Agent: curl/8.5.0 > Accept: */* > < HTTP/1.1 404 Not Found < Access-Control-Allow-Origin: * < Content-Type: application/json < Date: Sun, 04 Jan 2026 20:00:22 GMT < Content-Length: 51 < {"code":40401,"http":404,"error":"page not found"} * Connection #0 to host localhost left intact ```

BreizhHardware commented

2026-05-07 00:30:07 +02:00

Author

Owner

@NathanSweet commented on GitHub (Jan 4, 2026):

Gah, you're right! Silly browser strikes again. Sorry for the trouble.

@NathanSweet commented on GitHub (Jan 4, 2026): Gah, you're right! Silly browser strikes again. Sorry for the trouble.