[SECURITY] Credentials in plain Text in HTTP Request?

[TheZerbio]

Description

While i am in no way a security expert i am pretty sure i shouldn't be able to read my access data from the TCP package using wireshark.
A.f.a.i.k. this would expose sensitive data to man-in-the-middle attacks.
This is mostly relevant if you make your Jellyfin server accessible from outside your home network.

Reproduction steps

1. Open Fladder (tested with Windows client)
2. Open Wireshark and start recording you traffic
3. Log into your Jellyfin instance 
4. (Optional) use ip.dest=<your-jellyfin-server-ip> to filter the recorded traffic
5. Find the right transaction for application/json

Screenshots

Logs

Platform

Windows

App Version

latest from winget

Jellyfin server

linux based (no docker)

[Vardorien]

This is expected network behavior since your traffic is being served over http to a direct IP. There's no encryption going on.
If you want encryption you'll need to setup https using a FQDN with an SSL cert. Plenty of guides online for how to do it through various methods.
If you don't want to purchase a domain there's plenty of tutorials using services like https://www.duckdns.org/

Assuming you aren't using https already

[TheZerbio]

The server is already setup for https using a Certbot certificate. Http traffic is also redirected to use https instead. (E.g. If ich call the web interface using http:// i get redirected to https://)
After some more digging it appeas that Fladder defaults to http if not explicitly instructed to use https in the server URL.