If you enable the spotify service, every HTTP request to settings.php contains your spotify password in the input with ID spotpassword
This should, at a bare minimum, not be returned with the settings.php call.
I was looking for a way to pull request, and fix this myself, since I did on my own volumio device, but did not locate it.