Disable webaccess to emby server?

[dcook 303]

Hi, I am wondering if there is an easy way to disable access to the HTML interface of Emby?

I know in my user settings under the access tab I can uncheck all and then select the specific devices I want allowed, but I don't want to have to manage that.

I would rather allow all devices, but disable direct HTML browser access.

 

 

[Luke 42184]

HI, not generically, no. Only via device access.

[dcook 303]

@Lukeso if my users are using apps (tablets, firetv, etc) there is no way to disable or lock down the HTML interface of the Emby Server?
I know I can block the 8096 port but I assume that will break the apps as well?

Is it possible to move the HTML dashboard to a different port and keep 8096 only for the apps that are connecting?

Traditionally my family has all been inside the LAN access, but now some of them are going off to school and not living at home, I still want them to be able to access using their apps, but I don't want to expose the HTML dashboard to the Internet!

Edited March 12 by dcook

[Luke 42184]

Right shirt there is no way to do this universally.

 Blocking via device access will work but it requires some manual effort.

[dcook 303]

58 minutes ago, Luke said:

Right shirt there is no way to do this universally.

 Blocking via device access will work but it requires some manual effort.

Do you know if is on the roadmap in the near future?

To me it seems like common sense to have the HTML dashboard access separate from the user app access

If its not on the roadmap, how about a simple switch under the Network Settings:

Disable HTML access to all non admin users (Yes/No)

Edited March 12 by dcook

[yocker 1369]

22 minutes ago, dcook said:

Do you know if is on the roadmap in the near future?

To me it seems like common sense to have the HTML dashboard access separate from the user app access

If its not on the roadmap, how about a simple switch under the Network Settings:

Disable HTML access to all non admins (Yes/No)

You might be able to do it via reverse proxy filtering some how.
Bet some one in here will know.

[pwhodges 2023]

On 12/03/2026 at 19:12, dcook said:

I still want them to be able to access using their apps, but I don't want to expose the HTML dashboard to the Internet!

The apps use HTML too.  The dashboard is simply a different page (and is also accessible through the apps).

What are you afraid of?  If your users are not admins is that not sufficient for you?

Paul

[dcook 303]

On 14/03/2026 at 19:04, pwhodges said:

The apps use HTML too.  The dashboard is simply a different page (and is also accessible through the apps).

What are you afraid of?  If your users are not admins is that not sufficient for you?

Paul

I just don't see why I need to expose a HTML webpage to the internet, especially one that has admin dashboard functions.

If 8096 is used by the apps, then it would have been smarter to have the HTML interface and admin dashboard on its own separate port

Right now it seems like its ALL or None, I either expose everything or nothing

Another alternative would be to have a simple on/off flag so you can disable HTML access for users, and restrict them to only use the APPs
 

Edited yesterday at 08:36 PM by dcook

[ebr 16306]

Hi.  HTML is just a presentation layer.  Our API is agnostic to the presentation.

I'm not really sure how we would block or how you even really distiguish "web access" when everything is just through the API.  Some of our "apps" use HTML in their presentation.

[speechles 2060]

You might be able to see the user-agent string. You can parse that to determine sort of what is rendering the output. That is if they give you a user-agent when they make the query. An authentic one. They are easily forged. But that is one way to tell they are using a browser.

[sh0rty 727]

Just tested it with Pangolin/Traefik.

It's sufficient to forbid /web/* path when using a reverse proxy. Android App just uses /emby/* path and still works after setting up the rule. Not tested with the old AndroidTV, Theater or other apps. But if they do use /emby/* like the Android App, then yes, web access can be disabled via Reverse Proxy. If one platform does not, you're locking the user out and a more granular solution like user-agent filtering mentioned by speechles would need to be used.

That said: Imo it's not worth the work you put into it. Just disable admin login from outside LAN in settings. Perhaps you have a user who just wants to watch a movie on the Laptop because kids or wife are occupying the TV sometime in the future. 

Is your point the whole Emby web frontend or just the Admin dashboard @dcook?

Edited 10 hours ago by sh0rty

[dcook 303]

8 hours ago, sh0rty said:

Just tested it with Pangolin/Traefik.

It's sufficient to forbid /web/* path when using a reverse proxy. Android App just uses /emby/* path and still works after setting up the rule. Not tested with the old AndroidTV, Theater or other apps. But if they do use /emby/* like the Android App, then yes, web access can be disabled via Reverse Proxy. If one platform does not, you're locking the user out and a more granular solution like user-agent filtering mentioned by speechles would need to be used.

That said: Imo it's not worth the work you put into it. Just disable admin login from outside LAN in settings. Perhaps you have a user who just wants to watch a movie on the Laptop because kids or wife are occupying the TV sometime in the future. 

Is your point the whole Emby web frontend or just the Admin dashboard @dcook?

@sh0rtymy initial concern is that if I open 8096 externally for the apps to connect, then I am also exposing the admin dashboard since its listening on the same port, one mistake by the emby devs, could lead to a compromised server.

However since all my users only use the apps, I see no reason to have this HTML access open at all, and I was looking for a way to disable it for regular users.

[crusher11 1131]

But...the dashboard is also accessible through the apps. Just don't let the admin account connect remotely.

[ebr 16306]

24 minutes ago, dcook said:

@sh0rtymy initial concern is that if I open 8096 externally for the apps to connect, then I am also exposing the admin dashboard since its listening on the same port, one mistake by the emby devs, could lead to a compromised server.

However since all my users only use the apps, I see no reason to have this HTML access open at all, and I was looking for a way to disable it for regular users.

Yeah, you are equating "web access" with "admin access" and that isn't the same thing at all.  Blocking browsers (or whatever you are thinking of as "web access") is not going to stop admin access.

[dcook 303]

31 minutes ago, ebr said:

Yeah, you are equating "web access" with "admin access" and that isn't the same thing at all.  Blocking browsers (or whatever you are thinking of as "web access") is not going to stop admin access.

@ebrcould there not be a simple on/off flag added to the admin dashboard under the user setting to enable/disable HTML access?

my users never login via browser to the HTML site, they are only using apps like ipad/firetv, etc.
They have no need for browser access and the HTML site could be turned off

Ideally the Admin Dashboard should be moved to its own port, or be able to select Admin Access to localhost only as well, but if I can at least restrict my users to not have HTML access then that would be good

Edited 1 hour ago by dcook

[crusher11 1131]

17 minutes ago, dcook said:

@ebrcould there not be a simple on/off flag added to the admin dashboard under the user setting to enable/disable HTML access?

my users never login via browser to the HTML site, they are only using apps like ipad/firetv, etc.
They have no need for browser access and the HTML site could be turned off

Ideally the Admin Dashboard should be moved to its own port, or be able to select Admin Access to localhost only as well, but if I can at least restrict my users to not have HTML access then that would be good

Your problem would be much easier to resolve if you actually read the responses you're getting.

There is already a setting to prevent remote access to the admin account, should you so desire. “HTML access” isn't a thing and has no effect on what you're trying to do, because the admin dashboard is just as easily accessible through the apps as the rest of the interface is.

Why do so many of your users have admin access in the first place?

[Lessaj 477]

9 hours ago, sh0rty said:

It's sufficient to forbid /web/* path when using a reverse proxy. Android App just uses /emby/* path and still works after setting up the rule. Not tested with the old AndroidTV, Theater or other apps. But if they do use /emby/* like the Android App, then yes, web access can be disabled via Reverse Proxy. If one platform does not, you're locking the user out and a more granular solution like user-agent filtering mentioned by speechles would need to be used.

While true, this is not completely accurate. You can change the URI to /emby/web from /web in the browser and everything works normally.

I guess you could allow/block access to the /web path based on User Agent string, but that can still be spoofed so you're probably better off just not giving people admin access.

[C.S. 93]

54 minutes ago, Lessaj said:

While true, this is not completely accurate. You can change the URI to /emby/web from /web in the browser and everything works normally.

So the solution there would be to block every URI path not containing "/emby/" while also blocking every URI path containing "/emby/web/".

[Lessaj 477]

6 minutes ago, C.S. said:

So the solution there would be to block every URI path not containing "/emby/" while also blocking every URI path containing "/emby/web/".

Nope, apps use it.