Skip to content

Security Hardening

Odeion’s defaults are reasonably safe: registration is invite-only, failed logins are rate limited, and secrets are encrypted at rest. This page covers what is on you as the operator.

ItemDefaultYour action
TLSNot handled by OdeionPut a reverse proxy in front and expose only HTTPS.
Public portsCompose maps 8080Expose only the proxy (80/443). Do not publish 8080 or PostgreSQL.
RegistrationInvite-onlyKeep invites short-lived and single-use where possible.
Container userDrops to non-rootSet PUID/PGID to an unprivileged host user. Avoid PUID=0.
DatabaseEmbedded, not exposedIf using external PostgreSQL, require TLS (sslmode=require) and a strong password.
Config exportsContain secrets in cleartextProtect exported YAML files like credentials.
API keysDisabled per user by defaultLeave the per-user toggle off unless the user needs automation.

The only thing that should face the internet is your reverse proxy serving HTTPS. Odeion’s own port (8080 by default) should be reachable only by the proxy; in a compose setup on the same network you can drop the ports: mapping entirely. Never expose PostgreSQL.

Client apps require HTTPS, so a valid certificate is a functional requirement, not just a hardening step.

  • Registration only works with an invite code, and invite redemption is rate limited per IP. See Invites and Registration.
  • Failed logins are limited to 10 per 15 minutes per IP and per username. See Rate Limiting and Account Locking.
  • Compromised account? Lock it in Admin > Users: this blocks logins, existing sessions, and API keys at once.
  • During an active incident, the Login and OAuth kill switches stop all new sign-ins immediately.

Passwords are stored as bcrypt hashes. Session tokens and API keys are stored only as SHA-256 hashes. OAuth client secrets and the Apple private key are encrypted in the database and shown redacted in the admin panel.

Two places where secrets do appear in cleartext:

  • odeion config export output includes integration API keys (Sonarr, Radarr). Treat exported files accordingly.
  • Reset links are bearer credentials while valid. Deliver them over a trusted channel.

API keys carry an explicit scope allow-list and can never reach admin endpoints, user management, setup, or licensing routes, regardless of the owning user’s role. They do not expire, so revoke keys you no longer use. See API Keys.

The official image starts as root only to fix volume ownership and join the GPU render group, then drops privileges to the odeion user via gosu. Set PUID and PGID to a dedicated unprivileged host user so files in your mounted volumes are owned sensibly. Media library mounts should be read-only (:ro), which is what the installation wizard generates.