discord security best practices

Guide for discord security best practices

Discord Security Best Practices & Staff Data Protection

Purpose: This document outlines mandatory security practices for all Discord integrations, bots, and staff operations to ensure sensitive data (PII, internal tools) is never exposed to public users (Players).

🔒 1. Data Visibility & Privacy

Ephemeral Messages (Client-Side Only)

Rule: Any bot response containing sensitive data must be Ephemeral (visible only to the user who triggered the command).
  • Use Case: Staff looking up a player's email, IP, or transaction history.
  • Implementation: Set ephemeral: true in the interaction response.
  • Why: Prevents accidental leaks if a staff member uses a command in a public channel.

PII Redaction

Rule: Never send full PII (Personally Identifiable Information) to Discord channels, even private ones, unless absolutely necessary and ephemeral.
  • Do Not Log: Full credit card numbers (PCI DSS violation), user passwords (hashing required), or raw session tokens.
  • Allowed: Masked emails (he***@hastinapur.com), User IDs (UUIDs), and last 4 digits of cards.

Channel Permissions (Role-Based Access Control)

Rule: Adhere to the Principle of Least Privilege.
  1. Public Channels: @everyone can View/Send. NO sensitive bots or webhooks here.
  2. Staff Channels: Restricted to Support and above. Used for general coordination.
  3. Admin/Ops Channels: Restricted to Admin and DevOps. Used for Alertmanager critical alerts (Mission O/S) and infrastructure logs.
    • Note: Webhooks for server health/alerts should only post here.

🔑 2. Webhook & Token Security

Server-Side Only Integrity

Rule: NEVER embed Discord Webhook URLs or Bot Tokens in the game client (loh-game) or frontend (loh-website).
  • Risk: A user can decompile the client, extract the webhook, and spam/nuke your Discord server.
  • Solution:
    • Client sends request to loh-backend.
    • loh-backend validates the request.
    • loh-backend executes the Discord Webhook from a secure server environment.

Environment Variables

Rule: API Keys and Webhook URLs must live in .env files or Secret Managers, never committed to Git.
  • Bad: const webhookUrl = "https://discord.com/api/..."
  • Good: const webhookUrl = process.env.DISCORD_ALERTS_WEBHOOK

Token Rotation

Rule: If a staff member leaves or a repository is accidentally made public, immediately regenerate all Bot Tokens and Webhooks.

🤖 3. Bot & Command Security

Command Scoping

Rule: Restrict administrative Slash Commands (/ban, /lookup, /restart) to specific Staff Roles within the Discord Integration settings.
  • Do not rely solely on code-level checks (if user.id == admin). Use Discord's native Command Permissions to hide these commands from normal users entirely.

Intents Minimization

Rule: Only enable Privileged Intents (e.g., Message Content, Server Members) if strictly required for functionality.
  • Reduces the attack surface if the bot token is compromised.

🛡️ 4. Staff Account Security

Mandatory 2FA

Rule: All Staff members (Moderators, Admins, Developers) MUST have Two-Factor Authentication (2FA) enabled on their Discord accounts.
  • Enforcement: Enable "Require 2FA for Moderator Actions" in Server Settings. This prevents a compromised staff account from banning members or deleting channels.

Social Engineering Awareness

Rule: Staff should never download files or run code sent by users in DMs.
  • Protocol: All user bug reports requiring file attachments should go through the official ticketing system (e.g., Email/Zoho), not Discord DMs.

📜 5. Audit Logging

Immutable Audit Trail

Rule: Log all significant staff actions performed via Bots to a persistent, read-only #audit-logs channel.
  • Log Content: Staff User ID, Action (e.g., Ban, Item Grant), Target User ID, Timestamp, and Reason.
  • Why: Ensures accountability and helps investigate potential internal abuse.
Checklist for New Features
  • Is PII involved? If yes, is it masked or ephemeral?
  • Is the Webhook/Token stored in .env?
  • is the command restricted to Staff roles?