Feature request
I host my media services (Audiobookshelf and Jellyfin) behind a Cloudflare Zero Trust (Access) gateway. While this works perfectly in a desktop web browser, it creates a "wall" for native mobile applications (like BookPlayer and the Jellyfin/Swiftfin apps).
Scope: This would immediately enable compatibility with Cloudflare Access, Authelia, Authentik, and custom reverse-proxy API keys.
These apps currently lack the ability to handle the Cloudflare authentication handshake. Cloudflare provides Service Tokens for this exact scenario, but they require the client to pass two specific HTTP headers with every request:
CF-Access-Client-Id
CF-Access-Client-Secret
Without the ability to inject these headers, the apps receive a 403 Forbidden or a redirect to a login page they cannot render, effectively breaking remote access for secured instances.
Narrative
I would like to see an as part of the Integrations section within the Server/Connection setup menu that allows users to define custom HTTP Header Key-Value pairs.
Interface: A simple list where a user can add a "Key" and a "Value."
Behavior: These headers should be stored securely and appended to every outgoing API and streaming request made to that specific server URL.
Design
Describe alternatives you've considered
Bypass Policies: Creating IP-based bypasses is insecure and fails for mobile users who rotate IP addresses on cellular networks or public Wi-Fi.
WARP Client: Enrolling devices in a Zero Trust organization is a heavy-handed solution that increases battery drain and configuration complexity compared to a simple header injection.
Removing Security: Disabling the identity provider is not a viable option for a production-grade home lab.
Additional context
As the self-hosting community moves toward "Zero Trust" architectures, the inability for mobile clients to pass authentication headers is becoming a primary bottleneck. Implementing this would bring these apps in line with professional-grade networking tools and significantly improve the security posture for all users.
Feature request
I host my media services (Audiobookshelf and Jellyfin) behind a Cloudflare Zero Trust (Access) gateway. While this works perfectly in a desktop web browser, it creates a "wall" for native mobile applications (like BookPlayer and the Jellyfin/Swiftfin apps).
Scope: This would immediately enable compatibility with Cloudflare Access, Authelia, Authentik, and custom reverse-proxy API keys.
These apps currently lack the ability to handle the Cloudflare authentication handshake. Cloudflare provides Service Tokens for this exact scenario, but they require the client to pass two specific HTTP headers with every request:
CF-Access-Client-Id
CF-Access-Client-Secret
Without the ability to inject these headers, the apps receive a 403 Forbidden or a redirect to a login page they cannot render, effectively breaking remote access for secured instances.
Narrative
I would like to see an as part of the Integrations section within the Server/Connection setup menu that allows users to define custom HTTP Header Key-Value pairs.
Interface: A simple list where a user can add a "Key" and a "Value."
Behavior: These headers should be stored securely and appended to every outgoing API and streaming request made to that specific server URL.
Design
Describe alternatives you've considered
Bypass Policies: Creating IP-based bypasses is insecure and fails for mobile users who rotate IP addresses on cellular networks or public Wi-Fi.
WARP Client: Enrolling devices in a Zero Trust organization is a heavy-handed solution that increases battery drain and configuration complexity compared to a simple header injection.
Removing Security: Disabling the identity provider is not a viable option for a production-grade home lab.
Additional context
As the self-hosting community moves toward "Zero Trust" architectures, the inability for mobile clients to pass authentication headers is becoming a primary bottleneck. Implementing this would bring these apps in line with professional-grade networking tools and significantly improve the security posture for all users.