🚀 Jellyfin Server 10.11.7
We are pleased to announce the latest stable release of Jellyfin, version 10.11.7! This minor release brings several bugfixes to improve your Jellyfin experience. As alway...
jellyfin people just always spout this advice as some sort of copium and i dont even know why. ALL software will have security issues at some point or another. just update and move on with your life.
But I think more than copium it’s them understanding their users. It’s advice for people that will figure out how to run Jellyfin but won’t stay on top of updates, setup a waf, use a firewall/reverseproxy to limit access, etc. There are surely a lot of those that just one clicked an installer etc and for them it’s good advice.
None really, just wondering what the issue with opening it up is if it has TLS? In 10+ years I’ve never had my Plex server compromised and it just uses TLS. I do change the default port but that’s it.
There is a new story every week in Steve Gibson’s “Security Now” podcast about why you should virtually never open ports. And if you do, you’d better IP restrict. Even, or especially, in commercial products. Cisco has a new CVSS 10.0 every other week just about
I run pretty much all my stuff through NPMplus. Then I have a firewall between my public and private networks in case something does get compromised. But I’ve had Plex exposed (on a non-default port) for literally years and nothing ever happens.
That’s kinda my perspective on it to. I mean, how do they think websites work? Gotta expose ports to make all the internet things happen. Sure commercial stuff will have more devices to protect it, but there are things you can do to mitigate issues at home too.
jellyfin people just always spout this advice as some sort of copium and i dont even know why. ALL software will have security issues at some point or another. just update and move on with your life.
Definitely.
But I think more than copium it’s them understanding their users. It’s advice for people that will figure out how to run Jellyfin but won’t stay on top of updates, setup a waf, use a firewall/reverseproxy to limit access, etc. There are surely a lot of those that just one clicked an installer etc and for them it’s good advice.
that’s fair, does it not have any kind of encryption by default?
Standard TLS, I think, but what else would you need?
None really, just wondering what the issue with opening it up is if it has TLS? In 10+ years I’ve never had my Plex server compromised and it just uses TLS. I do change the default port but that’s it.
Plex logins go through their login server so you’ll also have login throttling and probably other bot protections.
They also do some SSL shenanigans to get every user a unique, valid public certificate created during setup. https://words.filippo.io/how-plex-is-doing-https-for-all-its-users/
There is a new story every week in Steve Gibson’s “Security Now” podcast about why you should virtually never open ports. And if you do, you’d better IP restrict. Even, or especially, in commercial products. Cisco has a new CVSS 10.0 every other week just about
I run pretty much all my stuff through NPMplus. Then I have a firewall between my public and private networks in case something does get compromised. But I’ve had Plex exposed (on a non-default port) for literally years and nothing ever happens.
Why NPMplus and not the default NPM?
Primarily for the CrowdSec integration (one less thing to set up manually)
https://www.virtualizationhowto.com/2025/09/nginx-proxy-manager-vs-npmplus-which-one-is-better-for-your-home-lab/
Why link the fork of a fork in your original response?
uhhh did i? https://github.com/ZoeyVid/NPMplus is the link I meant to post for npmplus. its a community fork of npm.
That’s kinda my perspective on it to. I mean, how do they think websites work? Gotta expose ports to make all the internet things happen. Sure commercial stuff will have more devices to protect it, but there are things you can do to mitigate issues at home too.