fix(plex-allowlist): add missing HTTP status codes for streaming#1728
Merged
blotus merged 1 commit intocrowdsecurity:masterfrom Mar 18, 2026
Merged
Conversation
- Add 206 (Partial Content) to /video/:/transcode/ and /music/:/transcode/ Video and audio streaming use HTTP range requests which return 206, not 200. Without this, active streams trigger http-crawl-non-statics and http-probing scenarios. - Add 403 to /video/:/transcode/ and /:/timeline When a Plex session's auth token expires mid-stream, the client continues sending requests that return 403. These are normal Plex client behaviors, not attacks. - Extend /library/metadata/ to cover 403, 404, and plex:// URIs Replaced the ^\d+ regex with a startsWith check to also match plex:// GUID paths (e.g. plex%3A%2F%2Fmovie%2F...) which Plex clients request when looking up media. Added 403/404 status codes for auth-expired and not-found responses. - Add 206 to /photo/:/transcode/ Thumbnail/image requests can also use range requests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
plex-allowlistparser is missing several HTTP status codes that are produced by normal Plex client activity, causing legitimate Plex traffic to trigger scenarios likehttp-crawl-non-staticsandhttp-probing.Missing status codes
206 Partial Content on
/video/:/transcode/and/music/:/transcode/universal/session/Video and audio streaming use HTTP range requests, which return 206, not 200. This is probably the most common false positive — any active stream will generate a flood of 206 responses that look like crawling to CrowdSec.
403 Forbidden on
/video/:/transcode/and/:/timelineWhen a Plex session's auth token expires mid-stream (e.g. the user pauses for a long time), the Plex client continues sending stop/session/timeline requests that return 403. These contain session IDs in the URL and are clearly normal client behavior.
403 and 404 on
/library/metadata/Plex clients regularly fetch metadata that returns 403 (auth expired) or 404 (not found locally). Additionally, the existing
^\d+regex doesn't matchplex://GUID-style paths (e.g./library/metadata/plex%3A%2F%2Fmovie%2F5d776...) that Plex uses for watch-together and discover features.206 on
/photo/:/transcode/Photo/thumbnail range requests can also return 206.
Changes
/video/:/transcode/: add206,403/photo/:/transcode/: add206/:/timeline: add403/library/metadata/: add403,404; replace^\d+regex withstartsWithto coverplex://GUIDs/music/:/transcode/universal/session/: add206🤖 Generated with Claude Code