I forked the popular Plex Movie Poster Display project to address security vulnerabilities that made it risky to expose on a home network. Here’s what I changed and why it matters.
Background
Matt’s Plex Movie Poster Display is a great project that shows currently playing media on a dedicated display. When nothing is playing, it cycles through random posters from your unwatched library. I use it with a Raspberry Pi kiosk in my home theater.
The original project works well, but it had security issues that concerned me—even for an internal application. Credentials stored in plaintext, no session management, and no CSRF protection are habits that shouldn’t exist in any codebase.
Security Improvements
Bcrypt Password Hashing
Before: Passwords stored in plaintext in the config file.
After: Passwords are hashed using bcrypt. Even if someone accesses your config file, they won’t see the actual password.
Session Timeout
Before: Sessions never expired.
After: Automatic logout after 30 minutes of inactivity. If you forget to log out of the settings panel, you’re not left exposed indefinitely.
CSRF Protection
Before: Forms had no protection against cross-site request forgery.
After: All forms include CSRF tokens, preventing malicious sites from submitting requests on your behalf.
Secure Session Handling
Before: Basic session management with no security considerations.
After: Proper session initialization, regeneration on login, and complete destruction on logout.
Token Validation
Before: Plex token was used without validation.
After: Token is validated before the display loads, preventing errors and potential information leakage.
Why This Matters
“It’s just an internal tool” is how security vulnerabilities become habits. Every project—regardless of where it runs—should follow security best practices:
- Never store passwords in plaintext
- Always implement session timeouts
- Protect forms against CSRF
- Validate all inputs and tokens
These aren’t just rules for production applications. They’re habits that should be automatic.
Get the Fork
The secured version is available on GitHub: jaysonbrush/Plex-Movie-Poster-Display
Installation is the same as the original—just clone, configure, and deploy. If you’re running this on a Raspberry Pi kiosk, check out my digital signage guide for the full setup.