Security Guide
Security considerations for self-hosting DesterLib.
Current Security Status
Section titled “Current Security Status”Network Security
Section titled “Network Security”Local Network Only (Safest)
Section titled “Local Network Only (Safest)”Recommended for: Most users
Keep DesterLib on your local network:
- ✅ No port forwarding
- ✅ No public exposure
- ✅ Access via LAN only
- ✅ Use Tailscale for remote access
Exposed to Internet
Section titled “Exposed to Internet”Only if necessary, and follow these rules:
- ✅ Use HTTPS (reverse proxy required)
- ✅ Monitor access logs regularly
- ✅ Use strong database passwords
- ✅ Keep system updated
- ✅ Enable authentication (when available)
Database Security
Section titled “Database Security”Strong Passwords
Section titled “Strong Passwords”Generate secure password:
openssl rand -base64 32Use in your configuration:
DATABASE_URL=postgresql://desterlib:GENERATED_PASSWORD_HERE@postgres:5432/desterlib?schema=publicDon’t Expose Database Port
Section titled “Don’t Expose Database Port”Default (Secure):
postgres: ports: - "127.0.0.1:5432:5432" # Localhost onlyInsecure (Avoid):
postgres: ports: - "0.0.0.0:5432:5432" # Exposed to network ❌Docker Security
Section titled “Docker Security”Read-Only Media Mount
Section titled “Read-Only Media Mount”Media files are mounted read-only:
volumes: - /path/to/media:/media:ro # :ro prevents writesDesterLib can’t modify your media files.
Container Isolation
Section titled “Container Isolation”Containers run in isolated network:
networks: desterlib-net: driver: bridgeRegular Updates
Section titled “Regular Updates”Keep Docker images updated:
docker compose pulldocker compose up -dFile Permissions
Section titled “File Permissions”Media Directory
Section titled “Media Directory”Recommended permissions:
# Server can read, but not writechmod -R 755 /path/to/mediaConfiguration Files
Section titled “Configuration Files”Protect sensitive files:
chmod 600 ~/.desterlib/.env # Only owner can read/writechmod 644 ~/.desterlib/docker-compose.ymlHTTPS Setup
Section titled “HTTPS Setup”Option 1: Caddy (Easiest)
Section titled “Option 1: Caddy (Easiest)”Install Caddy:
sudo apt install caddy # Ubuntu/Debianbrew install caddy # macOSConfigure (Caddyfile):
desterlib.yourdomain.com { reverse_proxy localhost:3001}Start:
sudo caddy startCaddy automatically:
- ✅ Gets Let’s Encrypt certificate
- ✅ Renews certificates
- ✅ Redirects HTTP → HTTPS
Option 2: Nginx + Certbot
Section titled “Option 2: Nginx + Certbot”Install:
sudo apt install nginx certbot python3-certbot-nginxConfigure nginx:
server { listen 80; server_name desterlib.yourdomain.com;
location / { proxy_pass http://localhost:3001; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }}Get certificate:
sudo certbot --nginx -d desterlib.yourdomain.comFirewall Rules
Section titled “Firewall Rules”UFW (Ubuntu/Debian)
Section titled “UFW (Ubuntu/Debian)”# Allow SSH (don't lock yourself out!)sudo ufw allow ssh
# Allow DesterLibsudo ufw allow 3001/tcp
# If using HTTPSsudo ufw allow 443/tcp
# Enable firewallsudo ufw enablefirewalld (CentOS/RHEL)
Section titled “firewalld (CentOS/RHEL)”sudo firewall-cmd --permanent --add-port=3001/tcpsudo firewall-cmd --reloadSystem Preferences → Security & Privacy → Firewall → Firewall Options
- Add Docker.app
- Allow incoming connections
Monitoring & Alerts
Section titled “Monitoring & Alerts”Log Monitoring
Section titled “Log Monitoring”Watch for suspicious activity:
# Monitor API accessdocker compose logs -f api | grep -E "POST|PUT|DELETE"
# Monitor errorsdocker compose logs -f api | grep -i errorRate Limit Alerts
Section titled “Rate Limit Alerts”Monitor rate limiting:
docker compose logs api | grep "Too many requests"If you see many, someone may be abusing your API.
Authentication (Planned)
Section titled “Authentication (Planned)”When authentication is implemented:
Planned Features
Section titled “Planned Features”- JWT-based authentication
- User registration and login
- Role-based access control
- API key management
- Session management
Current Workaround
Section titled “Current Workaround”Use network-level security:
- Keep on private network
- Use VPN (Tailscale)
- Use reverse proxy with auth (Authelia, OAuth2 Proxy)
Data Protection
Section titled “Data Protection”What’s Sensitive
Section titled “What’s Sensitive”High priority:
- Database (has your library metadata)
.envfile (has credentials)
Low priority:
- Docker images (public)
docker-compose.yml(no secrets if using .env)
Encryption
Section titled “Encryption”Database encryption:
- PostgreSQL doesn’t encrypt by default
- Use disk encryption at OS level (LUKS, FileVault, BitLocker)
Transport encryption:
- Use HTTPS for remote access
- Tailscale encrypts all traffic automatically
Incident Response
Section titled “Incident Response”If Compromised
Section titled “If Compromised”-
Immediately:
Terminal window docker compose down -
Change all passwords:
- Database password
- Update in
.envanddocker-compose.yml
-
Review logs:
Terminal window docker compose logs api > incident-logs.txt -
Restore from backup:
- See installation guide for backup procedures
-
Update everything:
Terminal window docker compose pulldocker compose up -d
Security Checklist
Section titled “Security Checklist”Before going to production:
- Strong database password (32+ characters)
-
.envfile has correct permissions (600) - Media mounted read-only (
:ro) - Firewall configured
- Using HTTPS (if exposed to internet)
- Regular backups configured
- Monitoring in place
- Keep containers updated weekly
Reporting Security Issues
Section titled “Reporting Security Issues”Found a security vulnerability?
DO NOT open a public issue.
Email: security@dester.in (or GitHub security advisory)
We’ll respond within 48 hours.
Related Documentation
Section titled “Related Documentation”- Docker Deployment - Production deployment
- Environment Variables - Configuration