Security model
Studio responsibilities
- Put the API key only in a Roblox Secret restricted to
api.guardyn.xyz. - Keep all Guardyn HTTP calls in server Scripts.
- Remove moderators promptly and protect the owner's Discord account with MFA.
- Rotate a key immediately after suspected exposure.
- Treat reports as allegations and maintain an appeal route.
- Review and retest studio integration code whenever the API contract or Roblox platform behavior changes.
Guardyn controls
- Discord OAuth uses only the
identifyscope. - Sessions, API keys, invite tokens, one-time passwords, and redeem keys are stored as keyed hashes.
- Webhook URLs are encrypted with AES-256-GCM.
- Production uses secure, HttpOnly, SameSite cookies and CSRF tokens.
- Owner, moderator, workspace, game, and administrator authorization is enforced server-side.
- API requests are rate-limited and body/field sizes are bounded.
- Report bodies, chat text, complete API keys, and complete webhook URLs are excluded from API activity logs.
- Production hostnames are separated and checked before routing.
- Security headers deny framing, plugins, camera, microphone, location, and payment access.
- The Node service listens only on loopback behind Caddy and Cloudflare.
- The systemd service runs as a non-root account with filesystem and kernel hardening.
- SQLite, uploads, secrets, and backups use restrictive permissions.
- Daily database backups are integrity checked.
No system is breach-proof. Guardyn's incident procedure covers containment, credential revocation, affected-workspace assessment, restoration, notification analysis, and follow-up.