dcook 303 Posted March 12 Posted March 12 Hi, I am wondering if there is an easy way to disable access to the HTML interface of Emby? I know in my user settings under the access tab I can uncheck all and then select the specific devices I want allowed, but I don't want to have to manage that. I would rather allow all devices, but disable direct HTML browser access.
dcook 303 Posted March 12 Author Posted March 12 (edited) @Lukeso if my users are using apps (tablets, firetv, etc) there is no way to disable or lock down the HTML interface of the Emby Server? I know I can block the 8096 port but I assume that will break the apps as well? Is it possible to move the HTML dashboard to a different port and keep 8096 only for the apps that are connecting? Traditionally my family has all been inside the LAN access, but now some of them are going off to school and not living at home, I still want them to be able to access using their apps, but I don't want to expose the HTML dashboard to the Internet! Edited March 12 by dcook
Luke 42184 Posted March 12 Posted March 12 Right shirt there is no way to do this universally. Blocking via device access will work but it requires some manual effort.
dcook 303 Posted March 12 Author Posted March 12 (edited) 58 minutes ago, Luke said: Right shirt there is no way to do this universally. Blocking via device access will work but it requires some manual effort. Do you know if is on the roadmap in the near future? To me it seems like common sense to have the HTML dashboard access separate from the user app access If its not on the roadmap, how about a simple switch under the Network Settings: Disable HTML access to all non admin users (Yes/No) Edited March 12 by dcook
yocker 1369 Posted March 12 Posted March 12 22 minutes ago, dcook said: Do you know if is on the roadmap in the near future? To me it seems like common sense to have the HTML dashboard access separate from the user app access If its not on the roadmap, how about a simple switch under the Network Settings: Disable HTML access to all non admins (Yes/No) You might be able to do it via reverse proxy filtering some how. Bet some one in here will know.
pwhodges 2023 Posted Saturday at 11:04 PM Posted Saturday at 11:04 PM On 12/03/2026 at 19:12, dcook said: I still want them to be able to access using their apps, but I don't want to expose the HTML dashboard to the Internet! The apps use HTML too. The dashboard is simply a different page (and is also accessible through the apps). What are you afraid of? If your users are not admins is that not sufficient for you? Paul
dcook 303 Posted yesterday at 08:35 PM Author Posted yesterday at 08:35 PM (edited) On 14/03/2026 at 19:04, pwhodges said: The apps use HTML too. The dashboard is simply a different page (and is also accessible through the apps). What are you afraid of? If your users are not admins is that not sufficient for you? Paul I just don't see why I need to expose a HTML webpage to the internet, especially one that has admin dashboard functions. If 8096 is used by the apps, then it would have been smarter to have the HTML interface and admin dashboard on its own separate port Right now it seems like its ALL or None, I either expose everything or nothing Another alternative would be to have a simple on/off flag so you can disable HTML access for users, and restrict them to only use the APPs Edited yesterday at 08:36 PM by dcook
ebr 16306 Posted yesterday at 08:52 PM Posted yesterday at 08:52 PM Hi. HTML is just a presentation layer. Our API is agnostic to the presentation. I'm not really sure how we would block or how you even really distiguish "web access" when everything is just through the API. Some of our "apps" use HTML in their presentation.
speechles 2060 Posted 22 hours ago Posted 22 hours ago You might be able to see the user-agent string. You can parse that to determine sort of what is rendering the output. That is if they give you a user-agent when they make the query. An authentic one. They are easily forged. But that is one way to tell they are using a browser.
sh0rty 727 Posted 11 hours ago Posted 11 hours ago (edited) Just tested it with Pangolin/Traefik. It's sufficient to forbid /web/* path when using a reverse proxy. Android App just uses /emby/* path and still works after setting up the rule. Not tested with the old AndroidTV, Theater or other apps. But if they do use /emby/* like the Android App, then yes, web access can be disabled via Reverse Proxy. If one platform does not, you're locking the user out and a more granular solution like user-agent filtering mentioned by speechles would need to be used. That said: Imo it's not worth the work you put into it. Just disable admin login from outside LAN in settings. Perhaps you have a user who just wants to watch a movie on the Laptop because kids or wife are occupying the TV sometime in the future. Is your point the whole Emby web frontend or just the Admin dashboard @dcook? Edited 11 hours ago by sh0rty
dcook 303 Posted 2 hours ago Author Posted 2 hours ago 8 hours ago, sh0rty said: Just tested it with Pangolin/Traefik. It's sufficient to forbid /web/* path when using a reverse proxy. Android App just uses /emby/* path and still works after setting up the rule. Not tested with the old AndroidTV, Theater or other apps. But if they do use /emby/* like the Android App, then yes, web access can be disabled via Reverse Proxy. If one platform does not, you're locking the user out and a more granular solution like user-agent filtering mentioned by speechles would need to be used. That said: Imo it's not worth the work you put into it. Just disable admin login from outside LAN in settings. Perhaps you have a user who just wants to watch a movie on the Laptop because kids or wife are occupying the TV sometime in the future. Is your point the whole Emby web frontend or just the Admin dashboard @dcook? @sh0rtymy initial concern is that if I open 8096 externally for the apps to connect, then I am also exposing the admin dashboard since its listening on the same port, one mistake by the emby devs, could lead to a compromised server. However since all my users only use the apps, I see no reason to have this HTML access open at all, and I was looking for a way to disable it for regular users.
crusher11 1131 Posted 2 hours ago Posted 2 hours ago But...the dashboard is also accessible through the apps. Just don't let the admin account connect remotely.
ebr 16306 Posted 2 hours ago Posted 2 hours ago 24 minutes ago, dcook said: @sh0rtymy initial concern is that if I open 8096 externally for the apps to connect, then I am also exposing the admin dashboard since its listening on the same port, one mistake by the emby devs, could lead to a compromised server. However since all my users only use the apps, I see no reason to have this HTML access open at all, and I was looking for a way to disable it for regular users. Yeah, you are equating "web access" with "admin access" and that isn't the same thing at all. Blocking browsers (or whatever you are thinking of as "web access") is not going to stop admin access.
dcook 303 Posted 1 hour ago Author Posted 1 hour ago (edited) 31 minutes ago, ebr said: Yeah, you are equating "web access" with "admin access" and that isn't the same thing at all. Blocking browsers (or whatever you are thinking of as "web access") is not going to stop admin access. @ebrcould there not be a simple on/off flag added to the admin dashboard under the user setting to enable/disable HTML access? my users never login via browser to the HTML site, they are only using apps like ipad/firetv, etc. They have no need for browser access and the HTML site could be turned off Ideally the Admin Dashboard should be moved to its own port, or be able to select Admin Access to localhost only as well, but if I can at least restrict my users to not have HTML access then that would be good Edited 1 hour ago by dcook
crusher11 1131 Posted 1 hour ago Posted 1 hour ago 17 minutes ago, dcook said: @ebrcould there not be a simple on/off flag added to the admin dashboard under the user setting to enable/disable HTML access? my users never login via browser to the HTML site, they are only using apps like ipad/firetv, etc. They have no need for browser access and the HTML site could be turned off Ideally the Admin Dashboard should be moved to its own port, or be able to select Admin Access to localhost only as well, but if I can at least restrict my users to not have HTML access then that would be good Your problem would be much easier to resolve if you actually read the responses you're getting. There is already a setting to prevent remote access to the admin account, should you so desire. “HTML access” isn't a thing and has no effect on what you're trying to do, because the admin dashboard is just as easily accessible through the apps as the rest of the interface is. Why do so many of your users have admin access in the first place?
Lessaj 477 Posted 1 hour ago Posted 1 hour ago 9 hours ago, sh0rty said: It's sufficient to forbid /web/* path when using a reverse proxy. Android App just uses /emby/* path and still works after setting up the rule. Not tested with the old AndroidTV, Theater or other apps. But if they do use /emby/* like the Android App, then yes, web access can be disabled via Reverse Proxy. If one platform does not, you're locking the user out and a more granular solution like user-agent filtering mentioned by speechles would need to be used. While true, this is not completely accurate. You can change the URI to /emby/web from /web in the browser and everything works normally. I guess you could allow/block access to the /web path based on User Agent string, but that can still be spoofed so you're probably better off just not giving people admin access.
C.S. 93 Posted 26 minutes ago Posted 26 minutes ago (edited) 1 hour ago, Lessaj said: While true, this is not completely accurate. You can change the URI to /emby/web from /web in the browser and everything works normally. So the solution there would be to block every URI path not containing "/emby/" while also blocking every URI path containing "/emby/web/". Wrongo. Edited 11 minutes ago by C.S.
Lessaj 477 Posted 18 minutes ago Posted 18 minutes ago 6 minutes ago, C.S. said: So the solution there would be to block every URI path not containing "/emby/" while also blocking every URI path containing "/emby/web/". Nope, apps use it.
dcook 303 Posted 11 minutes ago Author Posted 11 minutes ago 1 hour ago, crusher11 said: Your problem would be much easier to resolve if you actually read the responses you're getting. There is already a setting to prevent remote access to the admin account, should you so desire. “HTML access” isn't a thing and has no effect on what you're trying to do, because the admin dashboard is just as easily accessible through the apps as the rest of the interface is. Why do so many of your users have admin access in the first place? I am reading everything If HTML access is not a thing and is not needed, why can we not disable the HTML interface? What is the point of having it running if not needed. For example if I setup a Apache server, and by default its listening on port 80 (http) but my site only uses https (port 443) so the correct thing to do is to disable port 80, there is no reason to have it listening on port 80. None of my users have admin access The point is, why do I have to expose to the internet the HTML web interface (which includes the Admin Dashboard because its not separated on its own port) when 100% of my users are using the apps. If 100% of my users are using apps, there is no reason to have the HTML web interface available just sitting there waiting
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now