# Security

# 8. Security

This page controls access to the SLZB‑OS web interface and the TCP “socket” that exposes the Zigbee coordinator to Z2M/ZHA. The options below are listed exactly as they appear.

---

[![image.png](https://smlight.tech/support/manuals/uploads/images/gallery/2025-08/scaled-1680-/4koimage.png)](https://smlight.tech/support/manuals/uploads/images/gallery/2025-08/4koimage.png)

## 8.1 Web‑server when socket is connected

**What it does:** Controls whether the SLZB‑OS web UI remains available while the coordinator’s TCP socket is actively in use by Zigbee2MQTT or ZHA.

- **Enable** – The web server stays accessible **even when** the socket is already connected (e.g., your Z2M/ZHA is using the coordinator). Useful when you want to keep configuring the device during active operation.
- **Disable** – The web server is **turned off** whenever the socket is connected. This adds security by preventing web access while Z2M/ZHA is using the coordinator.

**Recommendation:**  
For maximum security on production systems, choose **Disable**. Use **Enable** while commissioning or troubleshooting.

---

## 8.2 Web server authentication

**What it does:** Enables login protection for the SLZB‑OS web interface.

- **Enable web server authentication** – Requires credentials to access the web UI.
- **Fields (shown when enabled):**
    
    
    - **Login** – Username for web access
    - **Password** – Password for web access

**Recommendation:**  
Keep this **enabled** and use a strong password.

---

## 8.3 IP whitelist for socket

**What it does:** Restricts which client can connect to the **Zigbee TCP socket** (the bridge used by Z2M/ZHA).

- **Enable IP whitelist for socket** – Only the specified address can connect to the Zigbee socket.
- **Field:**
    
    
    - **Allowed IP** – A **single IP address** permitted to access the socket. All other addresses are blocked.
- **Disable** – Any device on the network can attempt to access the socket (less secure).

**Recommendation:**  
Enable this and set **Allowed IP** to the host that runs Z2M/ZHA (e.g., your Home Assistant server).

---

## 8.4 Fallback Wi‑Fi AP password

**What it does:** Protects the **fallback Wi‑Fi access point** (brought up by the device in recovery/initial setup scenarios).

- **Activate password for Fallback Wi‑Fi AP** – Requires a password to join the fallback AP.

**Recommendation:**  
Enable this to prevent unauthorized local access during recovery.

---

## 8.5 Save &amp; Operational Notes

- After changing security options, **Save/Apply** and reconnect if prompted.
- If you **Disable web server when socket is connected**, you may temporarily lose UI access when Z2M/ZHA is connected; disconnect the client or stop the service to regain the UI.
- When **IP whitelist for socket** is enabled with a wrong IP, Z2M/ZHA will fail to connect—double‑check the **Allowed IP** value.