darkassassin07 652 Posted April 25, 2025 Posted April 25, 2025 I'd be worried exposing something like that, not knowing how vulnerable it is to code stuffing, overflow attacks, spam registrations, and more.
Yeulamcon 0 Posted April 25, 2025 Posted April 25, 2025 7 minutes ago, darkassassin07 said: I'd be worried exposing something like that, not knowing how vulnerable it is to code stuffing, overflow attacks, spam registrations, and more. Thanks for your input , your concern is totally valid. The registration page is protected by a secure token that’s verified server-side, so without a valid token, access isn’t possible. On top of that, the URL isn’t publicly listed or linked anywhere, which significantly reduces exposure. This setup already mitigates risks like code injection, overflow attacks, and spam registrations. That said, we’re continuously monitoring and improving security where needed.
Neminem 1518 Posted April 25, 2025 Posted April 25, 2025 10 hours ago, Yeulamcon said: we’re continuously monitoring and improving security where needed. I like you say WE are ! So this is not a personal server ? Share seller "Cough"
Carlo 4560 Posted April 25, 2025 Posted April 25, 2025 10 hours ago, Yeulamcon said: Thanks for your input , your concern is totally valid. The registration page is protected by a secure token that’s verified server-side, so without a valid token, access isn’t possible. On top of that, the URL isn’t publicly listed or linked anywhere, which significantly reduces exposure. This setup already mitigates risks like code injection, overflow attacks, and spam registrations. That said, we’re continuously monitoring and improving security where needed. If the API usage is taking place as part of the registration page the "secure token" is most likely exposed for the looking. To be protected better (for starters) you would need the registration pages to have a backend process that runs independently from the user pages. This backend only process would be using the API so it's never exposed to a user's browser but instead is ran from a trusted/hardened dedicated location. "we’re continuously monitoring" doesn't sound like something a home server admin would say. 1
KobayashiM 27 Posted 1 hour ago Posted 1 hour ago Came here looking for a simpler solution to LDAP but doesn't look like there's going to be one--officially at least. I understand the reasoning. Although I feel like anyone intending to use Emby as a public pirating site likely has the skills to implement this feautre themselves. But cut off the low hanging fruit I guess. Everyone wanting this feature has valid use-cases. It's tedious setting up each account manually and then explaining the whole process to non-technical folks. Especially how to connect via the app. Personally, I would really love a self-serve password reset feature using the user's e-mail. This should at least be standard.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now