v0.3.3 — security hardening
A security-hardening pass ahead of the Unraid Community Applications listing. No user-facing feature changes.
Fixed
- SSRF hardening — the poster proxy now allowlists the image
path(Plex/library/…only; no:///..), so it can't be used to make the media server fetch arbitrary URLs. - Login rate limiting — Jellyfin/Emby credential logins are capped per IP (brute-force defense).
- Constant-time API-key comparison.
- Loud warning on a production boot using the default
SESSION_SECRET. - Dependencies:
npm auditclean (postcss pinned). - Image: npm/yarn/corepack stripped from the runtime layer → no HIGH/CRITICAL CVEs in the published image.
- Response headers:
X-Frame-Options,X-Content-Type-Options,Referrer-Policy, and aframe-ancestorsCSP (clickjacking protection).
Install
ghcr.io/drohack/keeparr:latest
Multi-arch (amd64 + arm64).