Don't expose it to the internet unless you know what you're doing, or put it on a VPS you don't care about.

Ideally keep it behind a VPN and give your family members access to it that way, and let local devices on your LAN connect to it without a VPN.

Yea its pretty bad, there are pages of non-fixed confirmed exploits, you really shouldnt let it face the net.

VPN is one solution, and actually the only real solution for app-based jellyfin (TV, phone apps) I found so far.

Another is to host Jellyfin behind reverse proxy, and have a completely independent authgatein front of it (authentik, authelia). Jellyfin even supports LDAP (trough plugin), so you dont have to login twice per visit. The downside is only web interface can be hidden this way, as apps will break expecting jellyfin auth page and finding something else.

I run it in a docker container behind traefik in another container. Getting that wired up and working in podman was quite the challenge. Docker container mounts my media as read only.

It’s still a mess and any suggestions to fix it are met with hostility which is a shame because I’d love to use it. Last I checked there were still endpoints not behind auth that exposed stuff you’d probably not want exposed.

For whatever reason people here and on Reddit will tell you that you need to have Jellyfin pass through five VPNs, otherwise nasty things will happen. Meanwhile the actual devs suggests simply setting up a reverse proxy, which you can do in two lines with Caddy: https://jellyfin.org/docs/general/post-install/networking/re...

To alleviate your concerns, I have a public facing Jellyfin instance hosted on a subdomain for almost a year now. So far zero pwns or bot activity.