I run the Duplicacy Web Edition to view long term statistics about my backups, I set the Web GUI to be publicly available to the internet so I can access it from my server and I was talking to a friend which notified me that when he accessed the site that he was allowed in without the password. It seems that typing in the password allows anyone access once the password is typed in once. This is a major security issue, especially if it’s not explained that this is the case. It would be beneficial to require everyone who accesses the URL to require the password, not just after someone enters it.
Until this is fixed, I am going to have to change it so it listens back on the local host, or most likely use a private network to access it.
It may be a good idea to notify the user that they are exposing the Web UI to anyone.