Security Hardening (OWASP Top 10)
Injection & SSRF (A03/A10)
- ffmpeg protocol whitelist on all invocations — blocks
file://,data://,concat:and other dangerous protocols - URL scheme validation at input time on M3U, Xtream Codes, and EPG source endpoints — only
http://andhttps://allowed - Zip backup path canonicalization — defense-in-depth
resolve()check alongside existing traversal guards
Authentication (A01/A07)
- Login rate limiting — 5 attempts per minute per IP via slowapi on both local and Dispatcharr login endpoints
- Client IP in login failure logs — includes
X-Forwarded-Forfor forensics - NIST 800-63B password policy — dropped composition rules (uppercase/lowercase/number), replaced 33-word list with 10k common passwords, uniform 8-char minimum for all users including admin-created
Security Misconfiguration (A05)
- Security headers —
X-Frame-Options: DENY,X-Content-Type-Options: nosniff,Referrer-Policy: strict-origin-when-cross-origin - CORS tightened — explicit method and header allow lists instead of wildcards
Logging (A09)
- 500 response scrubbing — global handler returns generic "Internal server error" to clients, real error stays in server logs
- Validation error log redaction — Authorization/Cookie headers and auth endpoint request bodies redacted from logs
Bug Fix
- EPG matching fixed — channel names with number prefix (e.g.,
535 | ESPN) were normalizing to535espninstead ofespn, causing zero matches against EPG data
Stats
- Backend: 2263 tests passing
- Frontend: 1027 tests passing
- 22 files changed, ~10.5k lines added (mostly the 10k common passwords list)