v0.3.4 — Security hardening (pre-CA-listing)
Security hardening release ahead of the Unraid Community Applications listing. No functional changes to the keep/report workflow.
Security fixes
Auth & access
- The poster image proxy (
/api/image) now enforces its own authentication — a request with a bogusX-Api-Keyheader can no longer bypass the gate. - New per-user session revocation: a "Sign out all devices" action in the user menu (and admin-disabling a user) immediately invalidates that account's outstanding session tokens.
- Login brute-force protection now buckets per-username and globally, so rotating
X-Forwarded-Forcan't sidestep it; the Plex PIN create/poll endpoints are rate-limited too. - First-run setup rejects non-HTTP(S) server URLs before probing.
- In production, Keeparr now fails closed on a missing/insecure
SESSION_SECRETand warns on a weak one.
Container (Unraid-friendly)
- Runs non-root with
PUID/PGIDsupport (defaults1001; use99/100on Unraid). The container fixes/dataownership on start, so a fresh appdata path no longer causes a permission error. HEALTHCHECKhonors a customPORT; app files are root-owned/read-only; base image is digest-pinned.
Hardening
- 15s timeout on all outbound requests; poster proxy clamps dimensions and only serves images.
- GitHub Actions pinned to commit SHAs with Dependabot to keep them current.
Upgrade notes
- If you set
SESSION_SECRETyourself, make sure it's high-entropy (openssl rand -hex 32) — a short value now warns at boot. - On Unraid, set
PUID=99/PGID=100to match your appdata ownership.