Some notes on myMPD security.
- Update myMPD and the systems it runs on regularly
- Do not add files from untrusted sources to your music library
myMPD should not be directly accessible from the internet. It is designed to run inside a relatively secure intranet.
If you want to access myMPD from the internet, you should add a reverse proxy with authentication and ssl encryption in front of it.
Nevertheless myMPD is designed with security in mind.
- All input data is validated and size limited (tested with a fuzzer)
- The webserver limits the number of connections and request sizes
- The C backend is compiled with hardening flags and is regularly checked with static code analyzers
- The debug and development builds are linked with libasan to detect memory errors
- myMPD uses a fork of Simple Dynamic Strings to prevent buffer-overflows
- Files are served with a strict Content Security and Trusted Types Policy to prevent XSS attacks
- All included dependencies are updated regularly
If you find a security bug in myMPD please report it and I will fix it as soon as possible.
Write a mail to firstname.lastname@example.org.