Botdeck is designed as a local-first administration cockpit for Discord bots.

• The WebSocket control plane listens on loopback by default.
• Browser clients must authenticate with a local runtime token.
• Sensitive HTTP API actions require a Botdeck-only local token and a Botdeck request header.
• Cross-site API requests are refused with origin, referer and Sec-Fetch-Site checks.
• WebSocket origins are checked before the connection is accepted.
• WebSocket authentication is sent through the WebSocket protocol header instead of the URL.
• Mutating local actions are rate-limited.
• Security-relevant events are written to .botdeck/audit/security-audit.jsonl.
• Non-local WebSocket exposure is refused unless explicitly enabled.
• Desktop runtime data is stored in Electron userData.
• The SQLite database is migrated with Prisma migrations, not destructive db push.
• A database backup is created before migrations.
• Discord bot tokens are encrypted at rest with a local runtime key.
• TLS certificate imports are size-limited and validated before being applied.
• Replaced TLS certificate/key files are cleaned up best-effort.
• Botdeck sends security headers including CSP, nosniff, frame blocking, referrer policy and permissions policy.

Botdeck is powerful. It can send messages, edit channels, change roles, and run moderation actions depending on the permissions granted to the Discord bot.

Do not grant broad Discord permissions unless the server is a test server or you really need them.

Read-only mode always blocks Slash Studio and templates/automations.

Additional protections can be enabled per bot:

• block messaging actions;
• block channel and forum management;
• block moderation and role actions.

These protections are enforced server-side, not only in the UI.

Keep these defaults unless you have a specific reason to change them:

BOTDECK_WS_HOST=127.0.0.1
BOTDECK_ALLOW_NETWORK=false

To expose the WebSocket outside loopback, Botdeck requires deliberate opt-in:

BOTDECK_WS_ALLOW_NON_LOCAL=1

Only do this on a trusted network.

Run:

npm run check
npm run build
npm run audit:prod

Also test with a low-permission bot on a disposable Discord server.

If you find a security issue, do not publish bot tokens, databases, logs containing private server data, or screenshots exposing Discord IDs without consent.

Open a private issue or contact the maintainer with:

• affected version;
• operating system;
• reproduction steps;
• expected result;
• actual result;
• logs with secrets removed.