Security patch release addressing two medium-severity findings from the Sonarr/Radarr cross-reference audit.
Security fixes
Trusted proxy configuration (equivalent to Sonarr CVE-2026-30975)
X-Forwarded-For rewriting via chi.middleware.RealIP was previously applied unconditionally. An on-network attacker could spoof X-Forwarded-For: 127.0.0.1 to bypass local-only auth mode.
Fix: Introduce BINDERY_TRUSTED_PROXY — a comma-separated list of IPs/CIDRs identifying your reverse proxy. XFF rewriting is now only applied when the direct peer IP matches. When unset (default), forwarded headers are ignored and the peer IP is used as-is.
Action required for local-only auth mode users: Set BINDERY_TRUSTED_PROXY to your reverse proxy's IP (e.g. BINDERY_TRUSTED_PROXY=192.168.1.1). Without this, local-only mode will stop trusting forwarded IPs — requests will be evaluated on their direct peer IP instead.
File download path validation
The /api/v1/book/{id}/file endpoint served book.FilePath from the database without verifying it falls within a configured library directory. A tampered database entry could have caused it to serve arbitrary files.
Fix: FileHandler now validates the cleaned file path against BINDERY_LIBRARY_DIR and BINDERY_AUDIOBOOK_DIR before serving. Paths outside these roots return 403.
No behaviour change for correctly-stored paths.
Upgrading
Drop-in upgrade from v0.20.1. If you use local-only auth mode behind a reverse proxy, set BINDERY_TRUSTED_PROXY to your proxy's IP to preserve the existing behaviour.