-
released this
2026-05-24 01:49:20 +10:00 | 5 commits to main since this release🔒 Security
- HLS proxy now signs the full target URL instead of hostname only; a token cannot be reused across different paths on the same host
viewer_startnow requires a short-lived HMAC token issued at player load, preventing unauthenticated session injection and password-gated stream bypass- Warning is printed at startup when
SECRET_KEYis a known weak placeholder (REPLACE_MEetc.) - API key authentication now only accepts the
Authorization: Bearerheader; the?api_key=query string fallback has been removed to prevent token leakage into logs and browser history
✨ What's New
📊 Analytics
- CSV export now filters by time range - choose
today,7d,30d(default), orallfrom an integrated dropdown button; previously the export was unbounded
🐛 Bug Fixes
- Fixed HLS DRM detection missing on streams served via a master playlist - the probe now fetches the first variant URL before checking for DRM markers
- Fixed DASH streams not being detected as DRM-protected - added Widevine UUID check on the manifest response
- Fixed Android WebView detection casting too wide a net; detection is now restricted to the Telegram UA string only, avoiding false positives on regular Android browsers
- Removed a misleading comment on the IP hash function that implied raw IPs were not stored (they are)
⚙️ Configuration
docker-compose.ymlplaceholder defaults changed toREPLACE_ME/REPLACE_DB_PASSWORDto make unset secrets more obvious
🔄 What's Changed
Full Changelog: v1.2.0...v1.2.1
Downloads