Security Considerations
Securing your StationeersServerUI installation is crucial, especially if exposing it beyond your local network.
Authentication is fully handled at the application level by the backend (Go server). It uses:
- Password Storage: Passwords are hashed using bcrypt (strong, salted hashing).
- Session Management: JSON Web Tokens (JWT) signed with HMAC-SHA256 using a server-side secret key.
-
Token Delivery: JWT is stored in an HttpOnly, Secure, SameSite=Strict cookie named
AuthToken. - API Keys: Support for long-lived API keys with configurable expiration (default 1 month).
- No plaintext passwords are ever stored or transmitted.
- A random JWT secret key is automatically generated at first startup. Could be explicitly changed to something else in the config.json.
- The JWT key is stored in plaintext in the config.json
- All routes besides the login page are guarded by middleware that validates the JWT cookie.
- First-time setup encourages enabling authentication and creating users.
- Multiple users can be added throuh the /changeuser page
- Each user has the same permission level - User A can change User B's password. Be aware of that. For community access, consider using the Discord integration instead.
Authentication can be completely disabled, but this is strongly discouraged for any public facing deployment.
During first-time setup (or manually):
-
Via Web UI Setup (recommended for initial deployment):
- Access
/setupon fresh install. - Register one or more users (passwords automatically hashed).
- Finalize setup to enable authentication.
- Access
-
Manually via config.json:
- In the
UIModfolder, editconfig.json. - Add users to the
"users"map with bcrypt-hashed passwords. - Example:
"users": { "admin": "$2a$10$examplehashedpasswordhere..." }
- In the
-
Firewall Configuration
- Only open the necessary ports (27015, 27016 for the game server)
- Keep the web UI port (8443) restricted to best practices
- Consider using Windows Firewall or iptables (Linux) to restrict access
-
Reverse Proxy Setup
- If you need remote access to the web UI, set up a reverse proxy with:
- (Traefik - might be worth checking out!)
- Rate limiting to prevent brute force attacks
- If you need remote access to the web UI, set up a reverse proxy with:
-
Discord Integration
- Keep your Discord bot token secure
- Use Discord's role-based permissions to restrict command access
- Only give administrative command access to trusted users
If using Docker:
-
Container Isolation
- Don't run containers with
--privilegedflag - Use volume mounts instead of bind mounts where possible
- Don't run containers with
-
Network Configuration
- Use Docker's network controls to limit container access
- Configuration - Review proper Configuration procedures
- Docker Guide - Secure containerized deployment
