There’s the option of starting the server with
duplicati-server --webservice-password=secure-password
Kenneth talks a little about it here