React2Shell is exactly the shitshow situation yes. Suddenly we are all at risk. But in this case, I’m sorry to say that my cats’ pictures are worthless.

Your point on nginx/wireguard makes me think that it might be better to htaccess through a reverse proxy than relying on a built in login system. For exemple, I should deactivate jellyfin’s login and put it behind an htaccess at the proxy’s level. Is that completely dumb?

Anyway, I clearly need to research “threat models” and cyber/infosec more. Thank you very much!