Question: Best Practices / Internal Only?

[RefineryX]

Not an issue as such although I was not sure where to post. I have just installed this today and so far seems like it is working great.

1. I soon would like to expose my HA to the internet and conscious about security and if I have not configured it correctly. What are the main things to look out for when exposing this in a live PROD instance?
2. Another thought I had, is there a way that I can use this script only internally? And, if my HA is exposed to the web, it will prompt the user to login twice (once if Authelia and the other with HA)?
   /
3. Separately, I had to add username_header: Remote-User (auth_header) to my HA config file. From my understanding, it passes and allows access to HA for anyone with the same username? Whats to stop someone being able to pass this header by using my username? Bare with as my understanding is super patchy and still trying to figure it out! Thanks for your guidance

[BeryJu]

1. Make sure http.trusted_proxies is set correctly, I think HA requires this nowadays anyways, but make sure to set that to the IP/subnet of your internal reverse proxy. Thats about all you have ensure really.
2. Not sure if you can do it that way around, allthough this component will continue with the next auth method if the Header is not set.
3. Thats limited by the first setting, the header will only be used when the request comes from one of those IPs.