Security question regarding Hubitat endpoints

So, I don't currently use any local hub security. You can just open the GUI page from a local connection, no security required.

Since I've recently discovered the existence of endpoints where a browser merely has to browse to a particular address where administrative actions can be commanded without having to push any buttons. Are these endpoints secured by password if I enable local login security?

I believe so. At least for the endpoints that I have used.

Speaking from HPM's viewpoint, the vast majority of what HPM does is use endpoints that provide a programatic interface to the button clicks. All of HPM's actions are prefaced with login logic.

A simple snippet from HPM:

def performUpdates(runInBackground) {
	def resultData = [success: null, succeeded: [], failed: [], message: null]
	if (!login()) {
		resultData.message = triggerError("Error logging in to hub", "An error occurred logging into the hub. Please verify your Hub Security username and password.", runInBackground)
		resultData.success = false
		return resultData
	}

That "if (!login()) {" is where it's checked. "login()" is called and if successful (no login credentials required OR the ones that have been entered are valid) then TRUE is returned and !login() = false and the following code is skipped and the Updates (in this example) proceed.

This thread got me thinking. If I were to go back and add hub Security, what all do I need to do as far as HPM is concerned?

Tell it:

Package Manager Settings:

Screenshot 2024-02-04 at 1.35.47 PM