Mopidy-HTTP is an extension that lets you control Mopidy through HTTP and WebSockets, for example from a web client. It is bundled with Mopidy and enabled by default.
When it is enabled it starts a web server at the port specified by the
http/port config value.
As a simple security measure, the web server is by default only available
from localhost. To make it available from other computers, change the
http/hostname config value. Before you do so, note that the HTTP
extension does not feature any form of user authentication or
authorization. Anyone able to access the web server can use the full core
API of Mopidy. Thus, you probably only want to make the web server
available from your local network or place it behind a web proxy which
takes care of user authentication. You have been warned.
Hosting web clients¶
See Configuration for general help on configuring Mopidy.
[http] enabled = true hostname = 127.0.0.1 port = 6680 zeroconf = Mopidy HTTP server on $hostname allowed_origins = csrf_protection = true
If the HTTP extension should be enabled or not.
Which address the HTTP server should bind to.
- Listens only on the IPv4 loopback interface
- Listens only on the IPv6 loopback interface
- Listens on all IPv4 interfaces
- Listens on all interfaces, both IPv4 and IPv6
Which TCP port the HTTP server should listen to.
Name of the HTTP service when published through Zeroconf. The variables
$portcan be used in the name.
If set, the Zeroconf services
_mopidy-http._tcpwill be published.
Set to an empty string to disable Zeroconf for HTTP.
A list of domains allowed to perform Cross-Origin Resource Sharing (CORS) requests. This applies to both JSON-RPC and WebSocket requests. Values should be in the format
hostname:port, should not specify any scheme and be separated by either a comma or newline. Additionally, the
portshould not be specified if it is the default (80 for http, 443 for https).
Same-origin requests (i.e. requests from Mopidy’s web server) are always allowed and so you don’t need an entry for those. However, if your requests originate from a different web server, you will need to add an entry for that server in this list. For example, to allow requests from a web server at ‘http://my-web-client.example.com’ you would specify the entry ‘my-web-client.example.com’.
Enable the HTTP server’s protection against Cross-Site Request Forgery (CSRF) from both JSON-RPC and WebSocket requests.
Disabling this will remove the requirement to set a
Content-Type: application/jsonheader for JSON-RPC POST requests. It will also disable all same-origin checks, effectively ignoring the
http/allowed_originsconfig since requests from any origin will be allowed. Lastly, all
Access-Control-Allow-*response headers will be suppressed.
This config should only be disabled if you understand the security implications and require the HTTP server’s old behaviour.