RoonDJ runs a plain HTTP server on your local network so party guests can connect from their phones over Wi-Fi. It is designed for a trusted, same-LAN environment — your home or venue network among people you've invited — not for exposure to the public internet.

• Do not port-forward RoonDJ or otherwise make it reachable from the internet.
• Keep it on the same trusted LAN as your guests and your Roon Core.
• The server holds Roon pairing secrets in config.json (gitignored). Treat that file as sensitive and never commit or share it.

The host controls how guests get in (configured in Roon → Extensions → Roon DJ):

• Open — anyone on the LAN who has the URL can add music.
• Passcode — guests must enter a shared party passcode.
• Name required — guests must provide a display name.

These gates manage casual access among trusted guests; they are not a hardened auth system. Session ids are client-chosen, "name required" admits any non-empty name, and the passcode is a soft gate held in process memory — anyone who knows it can join freely. That is appropriate for a trusted LAN party; don't rely on it as internet-facing security.

By default RoonDJ rate-limits per client IP using the direct TCP peer address (Fastify is configured without trustProxy). If you put it behind a reverse proxy, every guest will appear as the proxy's single IP, so the per-guest rate limit collapses to one shared bucket. Prefer running RoonDJ directly on the LAN; if you must proxy it, enable Fastify trustProxy and a forwarded-for rate-limit key generator.

Please report security issues privately — do not open a public issue.

• Preferred: open a private GitHub Security Advisory for this repository (the repo's Security → Advisories → Report a vulnerability flow).
• This routes the report directly and confidentially to the maintainer.

Please include steps to reproduce and the potential impact. We'll acknowledge your report and work with you on a fix and coordinated disclosure.