-
Notifications
You must be signed in to change notification settings - Fork 1
Security Features
Security is a top priority in the design of UltimateServer. This document outlines the built-in features that help protect your server, data, and users.
User passwords are never stored in plain text. They are securely hashed using the PBKDF2 algorithm, which applies a computationally intensive process with a unique salt for each user. This makes it extremely difficult for attackers to reverse-engineer passwords even if they gain access to the database.
The server uses a stateless authentication mechanism with JSON Web Tokens (JWT). Access tokens have a short lifespan (e.g., 24 hours), minimizing the risk if one is compromised. Long-lived refresh tokens are used to obtain new access tokens, allowing users to stay logged in securely without frequently re-entering their credentials.
To protect against brute-force attacks, the server automatically locks user accounts after a configurable number of failed login attempts. The account remains locked for a specified duration, preventing automated scripts from repeatedly guessing passwords.
UltimateServer includes a framework for role-based access control, allowing you to assign different permissions to different user roles (e.g., 'admin', 'moderator', 'user'). This ensures that users can only access the features and data appropriate for their role.
All user-provided data is rigorously validated on the server side. This is a critical defense against common injection attacks like SQL Injection and Cross-Site Scripting (XSS), ensuring that malicious data cannot be executed or interpreted by the system.
Sensitive files, such as uploaded videos, are not publicly accessible. All requests to these resources are protected by authentication checks. The server verifies that the user has a valid JWT token before serving the file, preventing unauthorized access.
The server can enforce strong password policies, requiring a minimum length and a mix of character types (uppercase, lowercase, numbers, special characters). This helps users create more secure passwords that are resistant to guessing and cracking attempts.
Cross-Origin Resource Sharing (CORS) headers are properly configured to control which domains can access the server's API. This prevents malicious websites from making unauthorized requests to your server on behalf of your users.
While the server runs on HTTP by default, it is designed to be easily placed behind a reverse proxy (like Nginx) that handles SSL/TLS encryption. This allows you to secure all communication with the dashboard and API using HTTPS, protecting data in transit from eavesdropping. See the Configuration Guide for an example.
To maximize the security of your UltimateServer instance:
-
Change Default Credentials: Immediately change the default
adminpassword after first login. - Keep Updated: Regularly update to the latest version of UltimateServer to get the latest security patches.
- Use a Firewall: Configure a firewall to only allow necessary traffic on the required ports (11001, 11002, 11003).
- Use HTTPS in Production: Always use a reverse proxy with SSL/TLS to secure your dashboard in a production environment.
- Principle of Least Privilege: Create user accounts with the minimum permissions necessary for their tasks.