Caddy: If port 2019 is open, can anyone alter the Caddy configuration?

You can turn off the admin endpoint if it makes you queasy, but that will also turn off the possibility of graceful reloads using the caddy reload command.

By default the admin endpoint only listens on localhost:2019, so any services outside the machine that runs Caddy won't have access to it.

For next time, please ask your usage questions on the Caddy community forums. We prefer to keep the GitHub issue board for bugs and feature requests.

As far as I can see, anyone with access to the port (whether it be via a public interface or via a local LAN connection) is able to make any changes they wish to the admin configuration for Caddy?

Try it, and let us know how it goes!

I also can't quite see a way to disable this, for instance with 'enforce_origin' and 'origins', those will only affect web browsers, as other applications can set them to whatever they wish?

How much untrusted code is running on your machine? 🤔 Once that happens, all bets are off anyway.