github ChrispyBacon-dev/DockFlare v2.0.5
Security Advisory & Release v2.0.5: Secure Your DockFlare Instance
on GitHub

latest releases: v2.1.7, v2.1.6, v2.1.5...
one month ago

Hello everyone,

This important release introduces critical security enhancements for DockFlare. A special thanks to GitHub user @bcurran3 for highlighting these security concerns in issue #161, and to Reddit user t2_hur2hqu6k for their valuable feedback. Community contributions like these are invaluable in making DockFlare better and more secure for everyone.

IMPORTANT:
All users are strongly encouraged to update to version v2.0.5 and enable password protection as soon as possible to secure your DockFlare instance.

What's New in v2.0.5

Security Enhancements

  • Authentication: DockFlare now supports password protection for the web UI and API. This is a critical security update, and I urge everyone to enable it.
  • CSRF Protection: To prevent Cross-Site Request Forgery (CSRF) attacks, all forms in the web UI are now protected with anti-CSRF tokens.
  • Strengthened Content Security Policy (CSP): The CSP has been made more restrictive to mitigate the risk of Cross-Site Scripting (XSS) and other injection attacks.
  • Pinned Dependencies: All Python dependencies in requirements.txt are now pinned to specific, stable versions. This enhances build reliability and helps prevent potential supply-chain attacks.

New Features

  • Dismissible Security Warning: For a smooth transition, a dismissible warning banner will appear in the UI if authentication is not configured. This banner will guide you through the security setup without locking you out of your application.

How to Enable Authentication

To secure your DockFlare instance, you need to set two new environment variables: DOCKFLARE_PASSWORD and SECRET_KEY.

Step 1: Generate a Hashed Password

This command creates a secure, hashed version of your password. Run it in your terminal, replacing "YOUR_PASSWORD_HERE" with a strong, private password. 

docker run --rm python:3.13-slim sh -c "pip install werkzeug==2.3.7 >/dev/null 2>&1 && python -c 'from werkzeug.security import generate_password_hash; print(generate_password_hash(\"YOUR_PASSWORD_HERE\"))'"

Copy the entire output string, which will look something like pbkdf2:sha256:600000$.... This is your DOCKFLARE_PASSWORD value.

Step 2: Generate a Secret Key

This key is used for session management to keep your login secure. Generate a cryptographically secure key with this command: 

openssl rand -hex 32

Copy the generated 64-character string. This is your SECRET_KEY value.

Step 3: Update Your Docker Configuration

Add the hashed password and secret key as environment variables to your docker-compose.yml.

Example docker-compose.yml: 

services:
  dockflare:
    image: alplat/dockflare:v2.0.5 # Or :unstable, :latest
    restart: always
    ports:
      - "8080:80"
    environment:
      # --- Your other environment variables ---
      - DOCKFLARE_WATCH_ALL=true

      # --- ADD THE NEW SECURITY VARIABLES ---
      # Paste the full hash from Step 1 here
      - DOCKFLARE_PASSWORD=<your_hashed_password_from_step_1>

      # Paste the random hex string from Step 2 here
      - SECRET_KEY=<your_generated_secret_key_from_step_2>
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

(Alternatively, you can place these variables in an .env file.)

Step 4: Restart DockFlare

Restart your container to apply the new security settings. 

docker compose down && docker compose up -d

Your DockFlare instance is now password-protected. Thank you for your continued support and for taking these steps to secure your instance.

Cherrs,
Chris

Check out latest releases or
releases around ChrispyBacon-dev/DockFlare v2.0.5

Don't miss a new DockFlare release

NewReleases is sending notifications on new releases.

Get notifications