Security

Some notes on myMPD security.

General

• Update myMPD and the systems it runs on regularly
• Do not add files from untrusted sources to your music library

Restrict access

myMPD should not be directly accessible from the internet. It is designed to run inside a relatively secure intranet.

• myMPD publishes several directories
• the pin setting only secures some api calls

If you want to access myMPD from the internet, you should add a reverse proxy with authentication and ssl encryption in front of it.

• Behind a reverse proxy

Security measures

Nevertheless myMPD is designed with security in mind.

• All input data is validated and size limited (tested with a fuzzer).
• The webserver limits the number of connections and request sizes.
• The C backend is compiled with hardening flags and is regularly checked with static code analyzers.
• The debug and development builds are linked with libasan to detect memory errors.
• myMPD uses a fork of Simple Dynamic Strings to avoid error prone c string handling functions.
• Files are served with a strict Content Security and Trusted Types Policy to prevent XSS attacks.
• The javascript frontend avoids parsing of strings to dom nodes.
• All included dependencies are updated regularly.

Reporting

If you find a security bug in myMPD please report it and I will fix it as soon as possible.

Write a mail to mail@jcgames.de.