Skip to content

v0.3.3 — security hardening

Choose a tag to compare

@drohack drohack released this 07 Jul 14:10

A security-hardening pass ahead of the Unraid Community Applications listing. No user-facing feature changes.

Fixed

  • SSRF hardening — the poster proxy now allowlists the image path (Plex /library/… only; no :///..), so it can't be used to make the media server fetch arbitrary URLs.
  • Login rate limiting — Jellyfin/Emby credential logins are capped per IP (brute-force defense).
  • Constant-time API-key comparison.
  • Loud warning on a production boot using the default SESSION_SECRET.
  • Dependencies: npm audit clean (postcss pinned).
  • Image: npm/yarn/corepack stripped from the runtime layer → no HIGH/CRITICAL CVEs in the published image.
  • Response headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a frame-ancestors CSP (clickjacking protection).

Install

ghcr.io/drohack/keeparr:latest

Multi-arch (amd64 + arm64).