Skip to content

Security: gfudenberg/hanabi-live

Security

docs/SECURITY.md

Security

Many tech companies have security blogs that explain how they use your data, how they protect your data, and provide a little transparency. This blog is a short attempt to provide something similar.


Owner

The site is owned by me (Zamiel), an enthusiast from America. It is paid for out of pocket. The site does not run any ads and is not monetized in any way.


Code

The site is open-source, meaning that all of the code is publicly available to review on GitHub. Note that open-source software is not necessarily more secure than closed-source software.


Staff

I am the only administrator for the website. This means that only I have the ability to mute users, ban users, and so forth.

In the Discord server, any user with a "1+ Years Experience" role is considered a Discord administrator, and has the ability to delete messages, ban users, and so forth (in the Discord).


Encryption

The website uses HTTPS, which means that all traffic to and from the web server is encrypted. The certificates for this are provided by Let's Encrypt.


Password Hashing

On the server, passwords are salted and hashed using the Argon2 algorithm before being stored in the database. As of 2020, this is considered to be best practice. This means that if an attacker was able to access the database, they would not be able to derive your password (since a hash is just a random sequence of bytes).


Data

The database stores usernames, salted password hashes, the last IP that you logged on with, chat messages, and game history. The full schema for the database can be found here. Furthermore, similar to other web servers on the internet, the web logs contain the IP address of every connection.

Notably, there is no personally identifiable information in the database (e.g. email addresses), which makes the website a pretty low-priority target for an attacker looking to harvest all of the data.


Cookies

Upon logging in for the first time, the site will store a cookie so that on subsequent visits, you won't have to reauthenticate. This kind of thing is pretty standard. Cookies are encrypted and hardened according to best practice.

Furthermore, the site stores your username in a local cookie. This is so that when your cookie expires, the username field will automatically be filled out.

The password chosen for a password-protected table is also stored in a local cookie. While this is normally considered insecure, it is necessary so that users can see what their table password is in the "Create Game" tooltip. (They need to see what the password is in order to distribute it to the other people joining the table.)


Google Analytics

The website reports anonymous usage data to Google Analytics. This allows me to easily see what the peak hours of the website are and what countries most people are from. This kind of thing is pretty standard.


Sentry

Client errors are automatically reported to Sentry, a cloud-based service that aggregates errors. The username and IP address are uploaded alongside an error report. This kind of thing is pretty standard.


Server

The virtual server runs on the latest version of Ubuntu Server. It is protected by a host-based firewall. I make a best-effort to keep the machine up-to-date in terms of operating system packages, Go versions, and NPM packages.


There aren’t any published security advisories