You can avoid most security issues (with any sort of server) by not exposing it publicly. Use a VPN like Tailscale to connect remotely. If you share the server with friends or family, share it with them over Tailscale and use an ACL to configure which services they can access on your server.
It’s a good practice to NOT expose services to the internet unless it’s really needed. If they’re only for your use, then the entire world doesn’t need access. This isn’t specific to Jellyfin.
All software has the potential to have security issues.
thats, like, your opinion man. frankly slapping a VPN on top of everything else doesnt improve your security posture unless you have the skills to manage that system on top of everything, including ongoing validation that its configuration is restricting what you want it to.
a robust authn/authz at the application layer is what secures your environment. VPNs are just slapping a wall around your network that is trivially penetrated by the browsers (and their extensions) within your network.
stop spouting dogma seriously doesnt make you look intelligent. personally the only reason I bother with a VPN is so I can leverage my local networks dns to access services anywhere. its not for security.
If a service is publicly accessible, anyone can access it. Even if it’s secured, there can be security issues in the auth layer of the app, improperly secured endpoints, etc.
If a service is only available over VPN, nobody can access it unless they’re on the VPN. The service isn’t visible over the public internet and other people won’t even know it exists. You can require two factor auth to connect to the VPN.
I’m not sure why you seem to think that a private network isn’t more secure than a public network. There’s a reason why practically every company requires people working remotely to connect to a VPN to access company resources.
If a service is publicly accessible, anyone can access it.
false.
Even if it’s secured, there can be security issues in the auth layer of the app, improperly secured endpoints, etc.
true, fun fact a VPN is also an application with an auth layer. dun dun dun!
If a service is only available over VPN, nobody can access it unless they’re on the VPN.
which is basically anyone soon as a browser is in the mix. which it is.
I’m not sure why you seem to think that a private network isn’t more secure than a public network.
because I’ve done network hardening and know that they are only as secure as the devices and people that are a part of that network. it has nothing to do w/ private vs public and everything to do with what you do while within that network.
There’s a reason why practically every company requires people working remotely to connect to a VPN to access company resources.
uh huh. heard of lemmings? appeals to authority? etc, etc, etc. thats you right now. federal agencies guidelines regarding VPNs search terms for you: Federal Zero Trust Strategy (notably via OMB Memo M-22-09). Individuals like yourself are literally the reason they had to release these updated guidelines. because people kept quoting out of date security practices from their old guidelines as ‘good enough for the feds must be best practices’
like i said you dont know what you’re talking about. historical foot note: when the federal agency updated their recommendations regarding VPNs they were criticized by security experts for taking so fucking long to finally remove the misguided position that VPNs improve security that you hold.
here is a relevant snippet for everyone:
Regardless of the approach selected, agencies must move away from the practice of
maintaining a broad enterprise-wide network that allows enhanced visibility or access to many
distinct applications and enterprise functions. Accordingly, agencies should choose their zero
trust approach early enough to permit them to align that approach with their plans for IT
investment
Literally use ‘authn/authz’ and dont rely on VPNs for ACL. Here is another gem from that memo for today’s lucky 10,000:
Agencies must remove password policies that require
special characters and regular password rotation from
all systems
and yet companies still put that nonsense into their security policies.
except its not. VPNs provide no real protection for a network. its literally undercut by any network connection that reaches beyond the wall it provides.
VPNs are a routing simplification and privacy measure not a security measure. idiots try and use them as a security layer thinking they’re safer.
It’s not really a hassle though. It’s just a one time setup. Tailscale can stay connected all the time, since by default only Tailscale IPs are routed via it (so it won’t affect LAN or internet access)
If you want less hassle then use a Debrid service like Premiumize or Real-Debrid.
You can’t throw shade on Jellyfin, leave plex out of the discussion and then claim to run neither and essentially not caring…
Why participate at all with this argument??
Yeah I should’ve probably emphasised that Plex isn’t free of security vulnerabilities either, but I didn’t because I never even considered running it on my server, given the insane price.
Why participate with this argument? I was hoping to be proven wrong on the claim that jellyfin is insecure.
I was hoping to be proven wrong on the claim that jellyfin is insecure.
The constant argument being parotted (IMO a bit extra overblown) that you can read files by knowing the file path and being able to access the stream urls without authentication.
So if I know /data/media/movie/A Super Secret Movie [2026] (not unlikely due to assumed default paths with docker installations)
and https://jellyfin.example.local/
I can supposedly guess that the URL is https://jellyfin.example.local/video/source=?1029rifos0xomsoc93 and access the stream.
Is it an issue? Yes, you are bypassing active authentication
What is the actual security problem? You can be ddosed by being streames to death? Oh no, what will I do /s
If anyone else can give a more grave exampe why it’s worse than the above example: Please do. I don’t see the issue besides bypassing authentication.
Isn’t jellyfin full of security vulnerabilities? (Not to defend Plex, just a thought. This is why I don’t have a video streaming server at all.)
You can avoid most security issues (with any sort of server) by not exposing it publicly. Use a VPN like Tailscale to connect remotely. If you share the server with friends or family, share it with them over Tailscale and use an ACL to configure which services they can access on your server.
things you shouldnt need to do…
It’s a good practice to NOT expose services to the internet unless it’s really needed. If they’re only for your use, then the entire world doesn’t need access. This isn’t specific to Jellyfin.
All software has the potential to have security issues.
thats, like, your opinion man. frankly slapping a VPN on top of everything else doesnt improve your security posture unless you have the skills to manage that system on top of everything, including ongoing validation that its configuration is restricting what you want it to.
a robust authn/authz at the application layer is what secures your environment. VPNs are just slapping a wall around your network that is trivially penetrated by the browsers (and their extensions) within your network.
stop spouting dogma seriously doesnt make you look intelligent. personally the only reason I bother with a VPN is so I can leverage my local networks dns to access services anywhere. its not for security.
If a service is publicly accessible, anyone can access it. Even if it’s secured, there can be security issues in the auth layer of the app, improperly secured endpoints, etc.
If a service is only available over VPN, nobody can access it unless they’re on the VPN. The service isn’t visible over the public internet and other people won’t even know it exists. You can require two factor auth to connect to the VPN.
I’m not sure why you seem to think that a private network isn’t more secure than a public network. There’s a reason why practically every company requires people working remotely to connect to a VPN to access company resources.
false.
true, fun fact a VPN is also an application with an auth layer. dun dun dun!
which is basically anyone soon as a browser is in the mix. which it is.
because I’ve done network hardening and know that they are only as secure as the devices and people that are a part of that network. it has nothing to do w/ private vs public and everything to do with what you do while within that network.
uh huh. heard of lemmings? appeals to authority? etc, etc, etc. thats you right now. federal agencies guidelines regarding VPNs search terms for you: Federal Zero Trust Strategy (notably via OMB Memo M-22-09). Individuals like yourself are literally the reason they had to release these updated guidelines. because people kept quoting out of date security practices from their old guidelines as ‘good enough for the feds must be best practices’
like i said you dont know what you’re talking about. historical foot note: when the federal agency updated their recommendations regarding VPNs they were criticized by security experts for taking so fucking long to finally remove the misguided position that VPNs improve security that you hold.
here is a relevant snippet for everyone:
Literally use ‘authn/authz’ and dont rely on VPNs for ACL. Here is another gem from that memo for today’s lucky 10,000:
and yet companies still put that nonsense into their security policies.
The VPN isn’t “on top of” anything, it’s instead of everything.
except its not. VPNs provide no real protection for a network. its literally undercut by any network connection that reaches beyond the wall it provides.
VPNs are a routing simplification and privacy measure not a security measure. idiots try and use them as a security layer thinking they’re safer.
Eh, that’s too much hassle just for streaming video. I’ll use good old torrents downloaded directly to my computer.
It’s not really a hassle though. It’s just a one time setup. Tailscale can stay connected all the time, since by default only Tailscale IPs are routed via it (so it won’t affect LAN or internet access)
If you want less hassle then use a Debrid service like Premiumize or Real-Debrid.
And plex is entirely secure?
What was it again with security and closed source vs OSS?
Is the plex relay for remote access really secure?
Or has just nobody bothered checking it?
I never said that. I don’t run a media server at all because every streaming software has its own flaws.
You can’t throw shade on Jellyfin, leave plex out of the discussion and then claim to run neither and essentially not caring…
Why participate at all with this argument??
Yeah I should’ve probably emphasised that Plex isn’t free of security vulnerabilities either, but I didn’t because I never even considered running it on my server, given the insane price.
Why participate with this argument? I was hoping to be proven wrong on the claim that jellyfin is insecure.
It’s impossible to prove a negative, that there are no vulnerabilities.
The constant argument being parotted (IMO a bit extra overblown) that you can read files by knowing the file path and being able to access the stream urls without authentication.
So if I know
/data/media/movie/A Super Secret Movie [2026](not unlikely due to assumed default paths with docker installations)and
https://jellyfin.example.local/I can supposedly guess that the URL is
https://jellyfin.example.local/video/source=?1029rifos0xomsoc93and access the stream.Is it an issue? Yes, you are bypassing active authentication
What is the actual security problem? You can be ddosed by being streames to death? Oh no, what will I do /s
If anyone else can give a more grave exampe why it’s worse than the above example: Please do. I don’t see the issue besides bypassing authentication.
That’s one of the ones we know about. Consider the ones that might exist that haven’t been found yet.
Literally the same can be said about Plex.