fix: security hardening and code review improvements
Build and Push Docker Image / build (push) Successful in 12s

- hls proxy now signs full URL instead of hostname only (SSRF)
- viewer token required to start session (prevents stats forgery and password bypass)
- weak SECRET_KEY placeholder replaced with REPLACE_ME, startup warning added
- api key auth drops query-string fallback, Bearer header only
- hls variant playlist DRM detection fetches first variant
- dash manifest DRM detection added
- android webview detection restricted to Telegram only
- privacy comment removed from ip hash (ip is stored in plaintext)
- csv export adds range filter (today/7d/30d/all), defaults to 30d
- analytics export button integrated as dropdown with range selection
- docker-compose placeholder defaults updated
- readme and readme.zh-cn updated for v1.2.0 changes
This commit is contained in:
Stardream
2026-05-24 01:40:03 +10:00
parent 601eb0247f
commit 2b0aaf3a5d
7 changed files with 162 additions and 50 deletions
+2 -1
View File
@@ -1,8 +1,9 @@
/*
@license
Shaka Player
Shaka Player v4.10.6
Copyright 2016 Google LLC
SPDX-License-Identifier: Apache-2.0
Source: https://github.com/shaka-project/shaka-player/releases/tag/v4.10.6
*/
(function(){var innerGlobal=typeof window!="undefined"?window:global;var exportTo={};(function(window,global,module){/*