You’d still need to allow access to the /api/ path, and even public endpoints could potentially expose you to a vulnerability. It’s entirely up to your threat model.

Knowing what happened in 2014 with iCloud, I’m not prepared to take that risk. Especially as Immich is under heavy development and things can often change and move around. At least this way I know that it will either safely fetch the data or simply fail.

It forwards requests to the other server.

No raw requests are passed to Immich. All incoming data is validated / sanitized. Requests are only made to specific whitelisted API endpoints. I don’t know why you’re so angry 🤷

some dude’s personal project

Yes, it’s my project.

if I put it behind something else that forwards traffic to the server then that’s somehow safe!

It doesn’t “forward traffic”, it validates traffic and answers only valid requests, without needing privileged access to Immich. I think you are confusing the word “proxy” with meaning something like Traefik.

telling me that is more secure. As though that project is better written?

Yes, it’s more secure to use this than exposing Immich. No it’s not “better written” than Immich; it fulfills a completely different purpose.

It’s 400 lines of code in total, feel free to review it and tell me any flaws, oh mighty security expert.

Sorry, off topic, but is this what Immich looks like out of the box, or have you used any other plugins?

No - this is using lightGallery. You can see what Immich looks like on their demo.

I’m “exposing” my own server either way!

Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That’s the entire point.

This is stupid.

You seem to understand neither security nor privacy.

I get to give you access to all my photos so that you can just proxy calls to my server?

This is a self-hosted app… The only person who has access to your photos is you - that’s the entire point of using this. It lets you share photos/videos/albums from Immich without giving anyone access to any part of your Immich server, thus significantly increasing your privacy and security.

It doesn’t forward any traffic to Immich, it creates essentially a WAF between the public and Immich. It validates all incoming requests and answers only valid requests, without needing privileged access to Immich.