Disclaimer

Project status

CrossWatch is in active development. Things can break between releases.

Disclaimer

CrossWatch is an independent, community-maintained project. It is not affiliated with or endorsed by Plex, Emby, Jellyfin, Trakt, SIMKL, AniList or MDBList.

All product names, logos, and brands belong to their respective owners. They are used for identification only.

CrossWatch interacts with third-party services. You are responsible for complying with their Terms of Use and API rules.

This software is provided "as is". There are no warranties or guarantees.

Security

Do not expose CrossWatch directly to the public internet!

CrossWatch is intended for LAN/VPN use and may contain security weaknesses.

Putting CrossWatch on the public internet turns it into a target for automated scanners and real attackers. If there are any weaknesses, common ones in self-hosted apps include auth bypasses, weak session handling, missing rate limits, insecure defaults, outdated dependencies, or simple bugs, an attacker can use them to:

• Get unauthorized access to the UI and any data it can reach.

• Steal credentials/tokens if traffic isn’t properly encrypted end-to-end.

• Abuse the service (brute-force logins, spam requests, DoS) if there’s no throttling/WAF.

• Exploit known CVEs in the stack (framework/libs) the moment your instance is discoverable.

Therefore:

• Keep CrossWatch off the public internet (no direct exposure, no port-forwarding).

• Prefer binding to localhost / LAN only and restrict access with your firewall.

• For remote access, use a VPN (WireGuard/Tailscale) rather than opening ports.

• Enable UI authentication (Settings - Security).

• Enable HTTPS/TLS (recommended).

Dependencies

Support expectations

This is a community project. Support is best-effort.

Be respectful and constructive when you ask for help. If you need guaranteed support, this project is not that.