Security

Last updated: October 2, 2025

At SfwBot, we take security seriously. This page outlines our security practices and how we protect your data.

1. Data Security Measures

1.1 Encryption

  • HTTPS/TLS: All web traffic is encrypted using HTTPS with TLS certificates from Let's Encrypt
  • Secure Connections: All communication between our services uses encrypted connections
  • Database Security: Database connections use secure PostgreSQL protocols

1.2 Authentication

  • Discord OAuth2: We use Discord's official OAuth2 authentication - we never see your Discord password
  • Session Cookies: Secure, HTTP-only cookies for session management
  • Access Controls: Role-based access control for admin functions
  • Token Security: OAuth tokens are stored securely and never logged

1.3 Infrastructure

  • Database Resilience: Automatic retry logic for transient database failures
  • Connection Pooling: Efficient database connection management
  • Reverse Proxy: Nginx reverse proxy with security headers
  • Regular Updates: We keep all dependencies and systems up to date

2. Data Protection

2.1 What We Store

  • No Image Files: We never store actual image files, only URLs and perceptual hashes
  • Minimal Data: We only collect data necessary to provide our service
  • Temporary Storage: Image URLs are stored temporarily for reporting purposes
  • No Passwords: We never store Discord passwords (OAuth2 only)

2.2 Data Access

  • Limited Access: Only authorized administrators can access sensitive data
  • Audit Logs: All configuration changes are logged for accountability
  • Server Isolation: Each Discord server's data is isolated from others

3. Privacy by Design

  • EU Analytics: PostHog analytics data is stored on EU servers
  • Identified Only: Analytics only track identified users, not anonymous visitors
  • No Tracking in Development: Analytics are disabled in development environments
  • Data Minimization: We don't collect data we don't need

4. Application Security

4.1 Security Headers

Our web application uses security headers to protect against common attacks:

  • Content Security Policy (CSP): Restricts which resources can be loaded
  • X-Frame-Options: Prevents clickjacking attacks
  • X-Content-Type-Options: Prevents MIME-sniffing attacks
  • Referrer Policy: Controls referrer information

4.2 Input Validation

  • All user inputs are validated and sanitized
  • Protection against SQL injection through parameterized queries
  • Protection against XSS (Cross-Site Scripting) attacks
  • Rate limiting to prevent abuse

5. Discord Bot Security

  • Minimal Permissions: The bot only requests necessary Discord permissions
  • Secure Token Storage: Bot tokens are stored as environment variables, never in code
  • Gateway Intents: We only use required Discord gateway intents
  • Message Content: Only accessed when necessary for moderation

6. Third-Party Security

6.1 Discord

  • We comply with Discord's Developer Terms of Service
  • We use Discord's official API and libraries
  • We respect Discord's rate limits and best practices

6.2 PostHog Analytics

  • EU-based analytics provider
  • Data stored on EU servers (eu.i.posthog.com)
  • No personal data shared without consent

7. Incident Response

In the event of a security incident:

  • We will investigate and contain the incident immediately
  • Affected users will be notified as required by law
  • We will take steps to prevent similar incidents in the future
  • We maintain error logging and monitoring to detect issues quickly

8. Vulnerability Reporting

If you discover a security vulnerability in SfwBot, please report it responsibly:

  • Contact: Join our Discord Support Server and DM an administrator
  • Do Not: Publicly disclose the vulnerability before we've had a chance to fix it
  • Do Not: Exploit the vulnerability or access data you're not authorized to view
  • We Will: Acknowledge your report, investigate promptly, and credit you (if desired) once fixed

9. User Security Best Practices

To keep your account secure:

  • Secure Your Discord Account: Use a strong password and enable 2FA (Two-Factor Authentication)
  • Don't Share Access: Don't share your Discord login with others
  • Review Permissions: Only grant "Manage Server" permissions to trusted users
  • Monitor Activity: Check audit logs regularly for unexpected changes
  • Log Out: Log out of the dashboard when using shared computers

10. Compliance

  • Privacy Regulations: We comply with international privacy and data protection requirements
  • Discord ToS: We comply with Discord's Terms of Service and Developer Terms
  • Data Protection: We follow industry best practices for data protection

11. Limitations

While we implement strong security measures, please understand:

  • No system is 100% secure
  • We cannot control Discord's security or availability
  • Users are responsible for securing their own Discord accounts
  • We are not responsible for content posted in your Discord server

12. Security Updates

We continuously improve our security practices. This page will be updated as we implement new security measures. Check the "Last updated" date at the top for the most recent version.

13. Contact

For security concerns or questions:

Security is a shared responsibility. We do our part to protect your data, and we ask that you do yours by following security best practices.