The security of Discord communities running the Capinetta RP Bot System is a priority. This system handles sensitive data including Discord OAuth2 tokens, session cookies, moderation records, and server configuration. If you discover a vulnerability, please report it privately through one of the channels listed below — never create a public GitHub issue for security bugs, as that could expose the flaw to bad actors before a patch is available.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Capinetta-RP/capinetta-discord-bot/llms.txt
Use this file to discover all available pages before exploring further.
How to Report
Discord DM (Preferred)
Send a private DM to a maintainer in the Capi Netta RP Discord server. This is the fastest way to reach the team confidentially.
GitHub Security Advisory
Open a private GitHub Security Advisory directly in the repository. This keeps the report confidential until a patch is released.
What to Include
A clear and complete report helps the maintainers respond quickly. Please provide:- Description — a clear explanation of the vulnerability and where it exists in the codebase
- Steps to reproduce — numbered steps to reliably trigger the issue
- Potential impact — what could an attacker achieve? (e.g., data exposure, privilege escalation, session hijacking)
- Suggested fix — optional, but always appreciated
- Credit preference — let us know how you’d like to be credited in the changelog, or if you prefer to remain anonymous
Response Timeline
| Stage | Timeframe |
|---|---|
| Acknowledgment of your report | Within 48 hours |
| Assessment and fix timeline communicated | Within 3–7 days |
| Patch developed and tested | 7–30 days depending on severity |
| Coordinated disclosure published | After the patch is released |
CHANGELOG.md with your consent.
Security Features in the Codebase
The following security controls are already implemented in the Capinetta RP Bot System. Understanding these helps you identify gaps or misconfigured deployments.HTTP Security Headers (Helmet)
HTTP Security Headers (Helmet)
The Express dashboard uses Helmet.js (
^7.1.0) to set secure HTTP headers on every response, including X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy. This prevents clickjacking and MIME-type sniffing attacks.Content Security Policy with Nonces
Content Security Policy with Nonces
The dashboard implements a per-request CSP nonce strategy. Each request generates a unique nonce injected into EJS templates, allowing inline scripts and styles to execute without requiring the insecure
unsafe-inline directive. This significantly limits the impact of any XSS vulnerability.Rate Limiting
Rate Limiting
express-rate-limit (^6.10.0) is applied to dashboard routes to prevent brute-force attacks against the OAuth2 login flow and any authenticated API endpoints.HTTPOnly Session Cookies
HTTPOnly Session Cookies
Permission Validation on All Commands
Permission Validation on All Commands
Every moderation and admin command checks both Discord’s
PermissionFlagsBits on the executing member and validates against Discord’s Audit Logs before executing destructive actions. There is no client-side-only permission trust.Environment Variable Validation at Startup
Environment Variable Validation at Startup
Required environment variables (bot tokens, database credentials, OAuth2 secrets) are validated when the process starts. If any critical variable is missing, the process exits immediately rather than starting with an incomplete configuration that could cause unpredictable behavior.
Input Validation via Discord.js Slash Commands
Input Validation via Discord.js Slash Commands
Slash command option types are enforced by the Discord API itself — users cannot submit a
STRING where a USER or INTEGER is expected. This eliminates an entire class of injection risks at the input boundary.Prepared Queries via Prisma ORM
Prepared Queries via Prisma ORM
All database queries use Prisma ORM (
^5.10.0), which generates parameterized prepared statements. Raw SQL injection through user-supplied input is not possible through standard Prisma query methods.Secrets and the .env File
Incorrect — never do this:
.env.example (committed, no real values) to document which variables are required for other contributors.
Production Deployment Security Checklist
Before deploying to a production server, verify:-
.envis present with real credentials and not committed to the repository -
git check-ignore .envconfirms.envis gitignored - HTTPS is enabled on the dashboard (via Nginx/Apache reverse proxy + Let’s Encrypt)
- Dashboard port (default
3000) is firewalled and not directly exposed to the public internet - MariaDB is configured with a non-root user with minimum required privileges
- Automatic database backups are scheduled (e.g., via cron +
mysqldump) -
NODE_ENV=productionis set in.env - PM2 is configured with automatic restart (
npm run prod) - Log rotation is configured to prevent disk exhaustion
Dependency Auditing
Runnpm audit regularly to check for known CVEs in project dependencies:
Audit Logging
All sensitive actions performed through the bot are logged and stored for 90 days (configurable viaconfig.js). Logged events include:
- Configuration changes via
/setupand/config - Moderation actions (warns, kicks, bans, unmutes)
- Ticket creation and closure (with transcripts)
- Role assignments and removals
- Dashboard access and configuration edits
Acknowledgements
The team thanks the security community for responsible disclosure. All verified reports will be credited inCHANGELOG.md with the reporter’s consent.
Useful references:
Last updated: January 29, 2026
