Show Lemmy: I built a free streaming site from scratch — vanilla JS, Node.js, MongoDB, $0/month stack
Built ELI6 Movies as a side project to push how far a free-tier stack can go.
Tech:
- Frontend: pure HTML/CSS/vanilla JS on Vercel (free)
- Backend: Node.js/Express on Render (free)
- DB: MongoDB Atlas M0 (free)
- Metadata: TMDB API
- Video: third-party embeds with smart server failover
Interesting bits:
- Multi-server failover via postMessage detection
- Episode email notifier
- Tiered TMDB cache
- i18n (EN/IT/RU)
- Android TV spatial navigation
Happy to answer questions about the architecture.
https://eli6movies.vercel.app/Open linkView original on lemmy.world
slop
k
sure, what specifically bothered you
Cool concept and that’s definitely the start of the Backrooms (saw it yesterday in theaters), so that’s cool. I will not be returning to the site because of the ads/malware being served.
When trying to seek on the movie, you get tons of pop ups with the classic VPN scare messages. No thanks.
haha thats just whatever movie was on the homepage when i took the screenshot, it pulls the backdrop from tmdb. enjoy the backrooms lol
I feel like you didn’t read my full comment. I’d love to see you address the malware and popups.
yeah you were right, my bad. embeds were calling window.open() and the sandbox let it through. removed allow-popups so they cant do that anymore, video still works fine. give it another try if you want
i did read it — popup fix is in now. removed allow-popups from the iframe sandbox so embeds cant open new tabs. worth retrying if you want
Mate it worse then you think.
The repo
https://github.com/EliseyRotar/eli6_movies
Step 3 in the database setup.
yeah same answer as the other comment — render free tier has no static IPs so you cant restrict by IP at all. strong credentials are the actual protection, not IP allowlisting
You can. Your AI slop just doesn't know how.
you are right, my bad. render publishes fixed CIDR ranges per region, you can get them from the dashboard and allowlist those in atlas instead of 0.0.0.0/0. updating the readme
popups were coming from window.open() inside the embed iframes, removed allow-popups from the sandbox so that cant happen anymore. should be good now
got me on the emdash lol. fair points though, working on it
believe what you want
popups came from the embed iframes, not the site itself. removed allow-popups from the sandbox so they cant do that anymore