Skip to main content

Security model

Studio responsibilities

  • Put the API key only in a Roblox Secret restricted to api.guardyn.xyz.
  • Keep all Guardyn HTTP calls in server Scripts.
  • Remove moderators promptly and protect the owner's Discord account with MFA.
  • Rotate a key immediately after suspected exposure.
  • Treat reports as allegations and maintain an appeal route.
  • Review and retest studio integration code whenever the API contract or Roblox platform behavior changes.

Guardyn controls

  • Discord OAuth uses only the identify scope.
  • Sessions, API keys, invite tokens, one-time passwords, and redeem keys are stored as keyed hashes.
  • Webhook URLs are encrypted with AES-256-GCM.
  • Production uses secure, HttpOnly, SameSite cookies and CSRF tokens.
  • Owner, moderator, workspace, game, and administrator authorization is enforced server-side.
  • API requests are rate-limited and body/field sizes are bounded.
  • Report bodies, chat text, complete API keys, and complete webhook URLs are excluded from API activity logs.
  • Production hostnames are separated and checked before routing.
  • Security headers deny framing, plugins, camera, microphone, location, and payment access.
  • The Node service listens only on loopback behind Caddy and Cloudflare.
  • The systemd service runs as a non-root account with filesystem and kernel hardening.
  • SQLite, uploads, secrets, and backups use restrictive permissions.
  • Daily database backups are integrity checked.

No system is breach-proof. Guardyn's incident procedure covers containment, credential revocation, affected-workspace assessment, restoration, notification analysis, and follow-up.