Spotify password exposed

If you enable the spotify service, every HTTP request to settings.php contains your spotify password in the input with ID spotpassword

This should, at a bare minimum, not be returned with the settings.php call.

I was looking for a way to pull request, and fix this myself, since I did on my own volumio device, but did not locate it.

Yes, that is a security problem! Please send a pull request to and I’ll help review.