I forked the popular Plex Movie Poster Display project to address security vulnerabilities that made it risky to expose on a home network. Here’s what I changed and why it matters.<\/p>\n\n\n\n
Matt’s Plex Movie Poster Display<\/a> is a great project that shows currently playing media on a dedicated display. When nothing is playing, it cycles through random posters from your unwatched library. I use it with a Raspberry Pi kiosk<\/a> in my home theater.<\/p>\n\n\n\n The original project works well, but it had security issues that concerned me\u2014even for an internal application. Credentials stored in plaintext, no session management, and no CSRF protection are habits that shouldn’t exist in any codebase.<\/p>\n\n\n\n Before:<\/strong> Passwords stored in plaintext in the config file.<\/p>\n\n\n\n After:<\/strong> Passwords are hashed using bcrypt. Even if someone accesses your config file, they won’t see the actual password.<\/p>\n\n\n\n Before:<\/strong> Sessions never expired.<\/p>\n\n\n\n After:<\/strong> Automatic logout after 30 minutes of inactivity. If you forget to log out of the settings panel, you’re not left exposed indefinitely.<\/p>\n\n\n\n Before:<\/strong> Forms had no protection against cross-site request forgery.<\/p>\n\n\n\n After:<\/strong> All forms include CSRF tokens, preventing malicious sites from submitting requests on your behalf.<\/p>\n\n\n\n Before:<\/strong> Basic session management with no security considerations.<\/p>\n\n\n\n After:<\/strong> Proper session initialization, regeneration on login, and complete destruction on logout.<\/p>\n\n\n\n Before:<\/strong> Plex token was used without validation.<\/p>\n\n\n\n After:<\/strong> Token is validated before the display loads, preventing errors and potential information leakage.<\/p>\n\n\n\n “It’s just an internal tool” is how security vulnerabilities become habits. Every project\u2014regardless of where it runs\u2014should follow security best practices:<\/p>\n\n\n\n These aren’t just rules for production applications. They’re habits that should be automatic.<\/p>\n\n\n\n The secured version is available on GitHub: jaysonbrush\/Plex-Movie-Poster-Display<\/a><\/p>\n\n\n\nSecurity Improvements<\/h2>\n\n\n\n
Bcrypt Password Hashing<\/h3>\n\n\n\n
Session Timeout<\/h3>\n\n\n\n
CSRF Protection<\/h3>\n\n\n\n
Secure Session Handling<\/h3>\n\n\n\n
Token Validation<\/h3>\n\n\n\n
Why This Matters<\/h2>\n\n\n\n
\n
Get the Fork<\/h2>\n\n\n\n