Hello,
Do you have any settings on the switch for protecting the management access? Are you using local or remote authentication (RADIUS or TACACS) for management access.
With the default settings the access to the webUI is controlled by both default local user accounts on the switch -operator and manager. But if you didnt configure passwords for this accounts (they dont have passwords by default), the switch will not enforce authentication. So if you dont have passwords for manager or operator you can configure a password and the access to the WebUI will be blocked until an user enters this password. Here for example how you configure a password for the local user account "manager" (this will be the user name you enter when prompted).
HPE#config
HPE(config)# password manager
New password for manager: ********
Re-enter the new password for manager: ********
HPE(config)#
If you are using RADIUS server for admin user authentication you can also enable RADIUS authentication for web access with this commands. login and enable are the access levels (operator and manager)
HPE(config)# aaa authentication web login radius
HPE(config)# aaa authentication web enable radius
This commands disable local authentication the switch will only use the RADIUS server for authentication. You can configure a secondary method local which will be used only when the RADIUS server is not reachable.
HPE(config)# aaa authentication web login radius local
HPE(config)# aaa authentication web enable radius local
There is also another approach to addressing this, without using authentication. You can use the command ip authorized-managers to specify which stations are allowed to have access to the management interfaces of the switch. It is described in the following document.
https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/c_Using_Authorized_IP_Managers.html
You can specify a single address or a range of addresses. You can also specify access-level and priviledge-level.
HTH