Guardian

Honest review of a niche but capable Plex companion. No marketing spin — just what you get when you self-host it.

TL;DR

• What it is: A self-hosted security and access control layer for Plex Media Server. It watches your streams in real time and can block unapproved devices, enforce per-user rules, and send alerts when something unexpected happens [README].
• Who it’s for: Plex users who share their server with family or friends and want granular control over which devices can connect — without trusting Plex’s own limited managed-user system [README].
• Cost savings: Guardian itself is free and open source. Comparison is less about SaaS pricing and more about what Plex Pass buys you natively: $6.99/month or $119.99 lifetime for managed users and home features that still don’t block devices at the session level the way Guardian does [Plex pricing].
• Key strength: Deep, real-time device-level access control that Plex’s native tooling simply doesn’t offer. Block by IP range, schedule access by time of day, grant temporary permissions — all from a web UI [README].
• Key weakness: The project is feature-complete and actively looking for a new maintainer. The author has stated no new features will be added, and security patches may be slow. This is not a footnote — it’s the first thing in the README [README].

---

What is Guardian

Guardian is a companion app that sits alongside your Plex Media Server and enforces access policies that Plex itself doesn’t support. Where Plex lets you create managed users and toggle sharing, Guardian adds a second layer: it monitors every active Plex and Plexamp session in real time and can terminate sessions from unapproved devices the moment they start.

The pitch in the GitHub description is precise: “Monitor streaming activity, enforce granular access controls, and ensure only authorized devices can access your media library.” [README]. That’s not overreaching. The tool does exactly that and has a reasonably complete feature set to back it up.

Guardian was built by a single developer under the GitHub handle HydroshieldMKII. As of this review, the project has 165 stars and 3 forks — small numbers that signal a niche tool rather than a mainstream platform. The README was written carefully and the feature list is substantial, which suggests real production use. But the project has also posted a prominent warning block at the top of the documentation: the author considers the project feature-complete, will not be adding new features, and security patches may be delayed. A call for a new maintainer is open [README].

That context shapes everything that follows.

---

Why people choose it

The third-party articles provided for this review don’t cover Guardian directly — they discuss GitGuardian (a code security product), The Guardian newspaper’s engineering infrastructure, and general self-hosting news. There are no published independent reviews of HydroshieldMKII’s Guardian at the time of writing. Everything below is drawn from the README and GitHub project page.

The motivation for building Guardian is straightforward and shared by a large segment of the Plex community: Plex’s native sharing model is coarse. You can invite a user and share a library, but you can’t say “only this device, only these hours, and alert me if anything else tries to connect.” Family-sharing abuse is a known problem — someone gives a friend access, that friend shares the token with four other people, and suddenly your server is streaming to unknown devices on unknown IPs. Guardian addresses this gap directly.

The specific controls that push people toward Guardian over just “living with Plex’s defaults”:

Device whitelisting. By default, Plex doesn’t block devices — it authenticates users. Guardian adds device-level approval. An authenticated user on an unknown device gets terminated until you approve that device [README].

IP-based restrictions. You can allow a family member to stream only from their home LAN, block WAN connections entirely, or restrict to specific CIDR ranges. This is not a Plex native feature [README].

Schedule-based rules. Restrict access to certain hours — useful if you’re giving a child an account and want streaming to stop at bedtime [README].

Temporary access. Grant a device permission for a defined period without permanently approving it [README].

Alerts. When a new device tries to connect, when a session is blocked, when anything unexpected happens — Guardian can fire notifications over SMTP, Discord, Slack, Telegram, or any of the 100+ services supported by Apprise [README].

None of this replaces Plex. Guardian requires Plex to be running and connects via the Plex authentication token. Think of it as an access control proxy that intercepts sessions Plex already authenticated.

---

Features

Device Security & Access Control:

• Automatic session termination for unapproved devices [README]
• Global and per-user blocking configurations [README]
• IP-based controls: LAN, WAN, or specific IP/CIDR ranges [README]
• Temporary access with time limits [README]
• Schedule-based restrictions per user [README]

Real-time Monitoring:

• Live session tracking for Plex and Plexamp streams [README]
• Detailed device info: platform, product, version, IP address, last seen [README]
• Stream analytics: title, quality, duration, progress [README]
• Session history with filtering and search [README]
• Rich media display with thumbnails and background artwork [README]

Notifications:

• SMTP email with TLS/STARTTLS support [README]
• Apprise integration (Discord, Slack, Telegram, ntfy, and ~100 others) [README]
• Configurable triggers: new device attempts, blocks, custom events [README]

Interface & Management:

• Dark/light mode themes [README]
• Responsive design for mobile and desktop [README]
• Database export/import for backup and migration [README]
• Automatic cleanup of inactive devices [README]
• In-UI database management tools [README]
• Automatic update checking with version mismatch detection [README]
• Custom blocking messages per scenario [README]

Integration:

• Docker and Docker Compose (primary deployment path) [README]
• Proxmox support [README]
• Unraid support [README]
• SSL/TLS with certificate validation controls [README]

One notable feature from the canonical list is SSO — the profile lists it as supported, which aligns with the README recommendation to put Guardian behind a reverse proxy with an authentication layer like Authelia or Authentik. Guardian itself has a login, but the README explicitly warns against exposing it to the public internet without additional SSO protection [README].

---

Pricing: SaaS vs self-hosted math

There’s no SaaS version of Guardian. The comparison here is against Plex’s native paid features.

Guardian: Free and open source. Self-hosted cost is whatever your Plex server already runs on — no additional VPS needed since Guardian runs on the same host. If you’re hosting Guardian separately, a minimal container needs less than 512MB RAM.

Plex Pass (the relevant paid tier):

• Monthly: $6.99/mo
• Annual: $69.99/yr (~$5.83/mo)
• Lifetime: $119.99 one-time

Plex Pass unlocks managed users, home features, mobile sync, and hardware transcoding. It does not give you device-level blocking, IP-based restrictions, or schedule-based access control. A Plex Pass subscriber still cannot automatically terminate an unwanted session from a device they don’t recognize.

The actual math for a Plex server owner:

If you already pay for Plex Pass (many server owners do), Guardian adds zero recurring cost — it runs on your existing infrastructure. If you’re specifically evaluating whether Plex Pass plus Guardian is worth it versus just Plex Pass, the answer depends on whether you share your server. If you share with 3+ people across 6+ devices, the access control headaches Guardian solves are real. If you run Plex solo, you don’t need it.

No cost comparison to SaaS alternatives exists because there isn’t a direct SaaS competitor doing what Guardian does for Plex specifically. The closest paid option would be a managed Plex hosting service that includes user management, but that’s a different category entirely.

---

Deployment reality check

Guardian deploys via Docker Compose, which is the recommended and most tested path. Proxmox and Unraid installs are documented in the README. The prerequisites are minimal: Docker + Docker Compose, a running Plex Media Server, and a Plex authentication token.

What the setup actually requires:

• Plex token (documented at Plex’s support site — requires reading your browser’s network tab once)
• Docker Compose file (available from the repo)
• Environment configuration via .env file
• Optional: reverse proxy (Caddy, nginx, Traefik) if you want HTTPS or external access

Realistic effort: 30–60 minutes for someone comfortable with Docker. Most of that is finding your Plex token, not configuring Guardian itself.

What can go wrong:

The big one is the internet exposure warning. The README opens with a bold warning block: “Do not expose Guardian to the public internet without proper protection.” The recommended options are running it on your local network only, accessing via VPN, or placing it behind a reverse proxy with SSO (Authelia, Authentik, Cloudflare Access) [README]. This isn’t optional paranoia — Guardian has access to your Plex token and can terminate sessions. If the interface is reachable from the internet without authentication, anyone who finds it can disrupt your server.

The second issue is the maintainer situation. Security patches may be slow. If a vulnerability is discovered in Guardian’s dependencies or its own code, the response timeline is undefined. For a tool that sits in front of your media server and holds your Plex credentials, that’s a meaningful risk to weigh.

No license is specified in the merged profile or README header, which is an unusual omission for a public GitHub project. The project is publicly available and has a Docker Hub image, but the absence of an explicit license creates ambiguity about redistribution or forking rights — relevant if you want to maintain your own fork given the maintainer situation.

---

Pros and Cons

Pros

• Fills a real gap in Plex. Session-level device blocking with IP and schedule controls is genuinely not available natively in Plex, even with Plex Pass [README].
• Apprise integration. 100+ notification services through a single integration point — Discord, Slack, Telegram, ntfy — is a practical choice that avoids maintaining separate webhook configs [README].
• No recurring cost. Runs on your existing Plex host. Zero SaaS dependency [README].
• Clean feature scope. The tool does one thing — Plex access control — and doesn’t try to be a media manager, request system, or analytics platform. That focus is reflected in the interface design [README].
• Proxmox and Unraid support beyond Docker makes this usable across the most common homelab platforms [README].
• Rich UI. Live stream thumbnails, background artwork, responsive design for mobile access suggest genuine attention to usability beyond a minimal admin panel [README].

Cons

• No active maintainer. The project is feature-complete and looking for a new owner. Security patches may be slow. This is stated plainly in the README and cannot be understated for a security-adjacent tool [README].
• Plex only. If you run Jellyfin, Emby, or any other media server, Guardian is irrelevant. There is no support or roadmap for other platforms [README].
• No explicit license. The repo doesn’t specify a license, which creates uncertainty about forking or self-maintaining [GitHub].
• Requires Plex token exposure. Guardian needs your Plex authentication token to function. If Guardian is compromised, your Plex server is at risk [README].
• Internet exposure warning is a real constraint. The tool should not be reachable from the public internet without additional SSO in front of it [README]. For users who want remote access to the Guardian dashboard from outside their home network, this adds setup complexity.
• Very small community. 165 stars, 3 forks, no active maintainer means limited community support, few external guides, and a small pool of people who have solved the same deployment problems you’ll encounter.
• No external reviews available for this specific tool — which makes it harder to validate claims beyond the README.

---

Who should use this / who shouldn’t

Use Guardian if:

• You run a Plex server and share it with family or friends who use multiple devices across different locations.
• You’ve experienced unauthorized access, token sharing, or “a friend of a friend” showing up in your Plex dashboard.
• You’re comfortable with Docker and basic Linux administration.
• You can put it behind a VPN or SSO proxy — this is non-negotiable for security.
• You accept the risk that the project may not receive timely security updates.

Skip it if:

• You run Jellyfin or Emby — this tool is Plex-specific and there are no plans for expansion.
• You want a maintained, actively developed tool. The maintainer-seeking notice is a hard stop for anything production-critical.
• You’re not comfortable securing a web interface (VPN or SSO setup) — the alternative is leaving it on localhost only, which limits remote management.
• Your access control needs are already solved by Plex’s managed users and home feature. If you have a small, trusted circle using one or two devices each, the complexity isn’t worth it.

Consider carefully if:

• You’re building a homelab for learning — Guardian is a reasonable addition to a Plex stack, but make sure you understand what “no active maintainer” means before you depend on it for anything important.

---

Alternatives worth considering

The direct competitors are limited because Guardian occupies a specific niche: Plex session security.

Tautulli — The standard Plex monitoring tool. Excellent dashboards, play history, notification support, and user statistics. Does not block devices or enforce access controls. Complementary to Guardian, not a replacement. Actively maintained.

Overseerr — Handles media requests from your Plex users (they request shows, you approve). No access control or session management. Different problem space.

Plex’s native Managed Users + Home — Requires Plex Pass. Provides user-level sharing controls but no device-level blocking or IP restrictions. Sufficient for low-trust-surface setups (small families, nobody sharing their credentials).

Plexgate / custom webhook scripts — Some users build their own session monitoring using Plex’s webhooks and a script that calls the Plex API to kill sessions. More work, more control, no dependency on an unmaintained project — worth considering if you have the technical appetite.

Authelia / Authentik — If your goal is adding authentication in front of Plex services generally, these identity proxies can protect the entire stack. They don’t do Plex-specific session monitoring but solve the “unauthorized access” problem from a different angle.

For pure Plex device management, there is no direct maintained alternative that does what Guardian does at this feature breadth. That’s both why the tool exists and why its maintainer situation is the main risk to evaluate.

---

Bottom line

Guardian is a well-built, genuinely useful tool for Plex users who need device-level access control that Plex itself doesn’t provide. The feature set is complete, the UI is clean, and the installation is straightforward for anyone with basic Docker experience. If you share your Plex server and have had problems with unauthorized device access, Guardian solves a real problem.

The caveat that changes everything: the project is feature-complete and actively seeking a new maintainer. Security patches may be slow. For a tool that holds your Plex token and sits in front of your media server, that’s a meaningful risk you’re accepting. If you can tolerate it — or if you have the skills to maintain your own fork if needed — Guardian is worth deploying. If you need a tool you can trust to receive security updates on a reasonable timeline, the maintainer warning should give you pause.

The 165-star count reflects the niche audience accurately. This isn’t a tool for everyone — it’s for the subset of Plex users who run large shared servers and treat access control seriously. For that audience, there’s nothing quite like it.

---

Sources

1. HydroshieldMKII/Guardian — GitHub README and project page. https://github.com/HydroshieldMKII/Guardian
2. Plex Pass Pricing. https://www.plex.tv/plex-pass/
3. Apprise — Notification service aggregator supporting 100+ services. https://github.com/caronc/apprise
4. Self-Host Weekly (31 October 2025) — general self-hosting community news. https://selfh.st/weekly/2025-10-31/