Recently, LunaSea added a new feature that allows you to define multiple custom headers (key and value both) to send to Sonarr/Radarr/etc. This feature can be very useful if you run these behind some sort of reverse proxy and have some sort of server side authentication like basic auth. In my example, I run them behind Organizr, and I have most of my endpoints locked down by default. If I could pass my Organizr API key as a header, I could keep them locked down vs having to open them up so NZB360 can communicate with them.

As such, opening up API endpoints isn't the end of the world since you still have to authenticate against the service. However, each service may handle this differently, i.e. they may not rate limit or even pull the real IP since it's behind a reverse proxy. Some services like NZBHydra may actually require multiple endpoints to be opened up for the application to work properly. With Organizr, I can properly rate limit as well as log real IPs in a standardized fashion, keeping it secure while still allowing NZB360 to communicate.

The benefit of the approach Lunasea took is that custom headers are fully flexible, so they can be used in multiple scenarios besides just the Organizr one I listed above.
I would love it if this feature came to nzb360.

I don't run a VPN to my network instead I currently expose my NZB services through Cloudflare Access & don't have a way of associating the servers with nzb360 without passing additional headers.

Cloudflare Access allows you to bypass it if you provide the following headers:
* CF-Access-Client-Id: <Client ID>
* CF-Access-Client-Secret: <Client Secret>
Hi, I am interested too and I would love this feature to be implemented. My current setup has an authentication in front of the service and I cannot access from the outside because of it. In my opinion one header per server should be enough
Hi everyone! Sorry for jumping in. This would be a killer feature for my setup, I'm running my applications with with docker + traefik v2 proxy. I was able to configure 2FA adding Authelia+DUO (before I was with google oauth and no issues too) configuring Radarr and Sonarr with a bypass rule related to their API keys.
Only Qbittorent is left without a 2FA cause authentication flow is too generic to apply a bypass header rule, I could setup something like "/api/v2/auth/login" but is pretty useless.
Custom header should cover the whole scenario without boring about single applications providing API keys.
Sorry, for some reason, I never saw the replies to this. For my usecase, a single global custom header is good enough, but just FYI, Lunasea does allow multiple custom headers per service, with the option for a basic auth header or something completely custom.
I fully support this idea. I've had to leave my subdomains open for all my apps for NZB360 to work correctly and I just can't do it any more. Too much of a security risk.