fix: security hardening and code review improvements
Build and Push Docker Image / build (push) Successful in 12s

- hls proxy now signs full URL instead of hostname only (SSRF)
- viewer token required to start session (prevents stats forgery and password bypass)
- weak SECRET_KEY placeholder replaced with REPLACE_ME, startup warning added
- api key auth drops query-string fallback, Bearer header only
- hls variant playlist DRM detection fetches first variant
- dash manifest DRM detection added
- android webview detection restricted to Telegram only
- privacy comment removed from ip hash (ip is stored in plaintext)
- csv export adds range filter (today/7d/30d/all), defaults to 30d
- analytics export button integrated as dropdown with range selection
- docker-compose placeholder defaults updated
- readme and readme.zh-cn updated for v1.2.0 changes
This commit is contained in:
Stardream
2026-05-24 01:40:03 +10:00
parent 601eb0247f
commit 2b0aaf3a5d
7 changed files with 162 additions and 50 deletions
+4 -3
View File
@@ -10,8 +10,9 @@ services:
ports:
- "8085:8080"
environment:
SECRET_KEY: "change-this-secret"
DATABASE_URL: "postgresql://streamhall:streamhall_pg_password@postgres:5432/streamhall"
# Generate with: openssl rand -hex 32
SECRET_KEY: "REPLACE_ME"
DATABASE_URL: "postgresql://streamhall:REPLACE_DB_PASSWORD@postgres:5432/streamhall"
TZ: "UTC"
RTMP_HOST: "srs"
# Comma-separated list of video directories (optional label:path format)
@@ -29,7 +30,7 @@ services:
environment:
POSTGRES_DB: "streamhall"
POSTGRES_USER: "streamhall"
POSTGRES_PASSWORD: "streamhall_pg_password"
POSTGRES_PASSWORD: "REPLACE_DB_PASSWORD"
TZ: "UTC"
volumes:
- ./postgres-data:/var/lib/postgresql/data