As it stands now, it appears the Hubitat Web interface is open to anyone on the same network as the hub. Unlike Home Assistant (and maybe Vera, though I didn’t use it long enough to remember), there is no password protection or similar, so more or less anyone at your house can go through and modify your devices, automations, hub, etc. and, intentionally or not, possibly change or break things. (EDIT: And of course, to compare it to SmartThings, SmartThings requires a username and password login to the app with, of course, no Web interface.)
Is there a different, less-obvious way around this problem? (Obviously segregating the hub to a special vLAN with the right configuration would be one way to help mitigate this problem, but I don’t think most people are going to do that, and it of course makes it more difficult to access than a simple password would.)
I also notice that the traffic is currently HTTP. If there were login information transmitted, I’d obviously prefer HTTPS (even on my own network), so I guess that would be another feature I’d want with this one.
If none of these are possible for some reason, even a Hue-esque “username” in the URL that needs to be on a whitelist would be better than granting wide-open access. Without a physical button on the device itself to press to authorize this creation, it would probably be more difficult to implement, though the initial “portal” registration could probably handle the initial creation of this.
Someone let me know if I’m missing something here; otherwise these are just a few ideas I have to keep my hub from being wide-open on my network.