Skip to content

v0.3.4 — Security hardening (pre-CA-listing)

Choose a tag to compare

@drohack drohack released this 07 Jul 15:10

Security hardening release ahead of the Unraid Community Applications listing. No functional changes to the keep/report workflow.

Security fixes

Auth & access

  • The poster image proxy (/api/image) now enforces its own authentication — a request with a bogus X-Api-Key header can no longer bypass the gate.
  • New per-user session revocation: a "Sign out all devices" action in the user menu (and admin-disabling a user) immediately invalidates that account's outstanding session tokens.
  • Login brute-force protection now buckets per-username and globally, so rotating X-Forwarded-For can't sidestep it; the Plex PIN create/poll endpoints are rate-limited too.
  • First-run setup rejects non-HTTP(S) server URLs before probing.
  • In production, Keeparr now fails closed on a missing/insecure SESSION_SECRET and warns on a weak one.

Container (Unraid-friendly)

  • Runs non-root with PUID/PGID support (defaults 1001; use 99/100 on Unraid). The container fixes /data ownership on start, so a fresh appdata path no longer causes a permission error.
  • HEALTHCHECK honors a custom PORT; app files are root-owned/read-only; base image is digest-pinned.

Hardening

  • 15s timeout on all outbound requests; poster proxy clamps dimensions and only serves images.
  • GitHub Actions pinned to commit SHAs with Dependabot to keep them current.

Upgrade notes

  • If you set SESSION_SECRET yourself, make sure it's high-entropy (openssl rand -hex 32) — a short value now warns at boot.
  • On Unraid, set PUID=99 / PGID=100 to match your appdata ownership.