Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Capinetta-RP/capinetta-discord-bot/llms.txt

Use this file to discover all available pages before exploring further.

The security of Discord communities running the Capinetta RP Bot System is a priority. This system handles sensitive data including Discord OAuth2 tokens, session cookies, moderation records, and server configuration. If you discover a vulnerability, please report it privately through one of the channels listed below — never create a public GitHub issue for security bugs, as that could expose the flaw to bad actors before a patch is available.

How to Report

Discord DM (Preferred)

Send a private DM to a maintainer in the Capi Netta RP Discord server. This is the fastest way to reach the team confidentially.

GitHub Security Advisory

Open a private GitHub Security Advisory directly in the repository. This keeps the report confidential until a patch is released.
Do not open a public GitHub Issue for security vulnerabilities. Public issues are indexed immediately and could expose the vulnerability to malicious actors before a fix is deployed.

What to Include

A clear and complete report helps the maintainers respond quickly. Please provide:
  • Description — a clear explanation of the vulnerability and where it exists in the codebase
  • Steps to reproduce — numbered steps to reliably trigger the issue
  • Potential impact — what could an attacker achieve? (e.g., data exposure, privilege escalation, session hijacking)
  • Suggested fix — optional, but always appreciated
  • Credit preference — let us know how you’d like to be credited in the changelog, or if you prefer to remain anonymous

Response Timeline

StageTimeframe
Acknowledgment of your reportWithin 48 hours
Assessment and fix timeline communicatedWithin 3–7 days
Patch developed and tested7–30 days depending on severity
Coordinated disclosure publishedAfter the patch is released
Verified security reports will be credited in CHANGELOG.md with your consent.

Security Features in the Codebase

The following security controls are already implemented in the Capinetta RP Bot System. Understanding these helps you identify gaps or misconfigured deployments.
The Express dashboard uses Helmet.js (^7.1.0) to set secure HTTP headers on every response, including X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy. This prevents clickjacking and MIME-type sniffing attacks.
The dashboard implements a per-request CSP nonce strategy. Each request generates a unique nonce injected into EJS templates, allowing inline scripts and styles to execute without requiring the insecure unsafe-inline directive. This significantly limits the impact of any XSS vulnerability.
express-rate-limit (^6.10.0) is applied to dashboard routes to prevent brute-force attacks against the OAuth2 login flow and any authenticated API endpoints.
Express sessions are configured with HTTPOnly cookies, meaning session tokens are inaccessible to JavaScript running in the browser. This blocks session theft via XSS even if a script injection were to occur.
Every moderation and admin command checks both Discord’s PermissionFlagsBits on the executing member and validates against Discord’s Audit Logs before executing destructive actions. There is no client-side-only permission trust.
// ✅ Both permission bits AND audit logs are checked
if (!interaction.member.permissions.has(PermissionFlagsBits.Administrator)) {
    return interaction.reply("❌ Insufficient permissions.");
}
Required environment variables (bot tokens, database credentials, OAuth2 secrets) are validated when the process starts. If any critical variable is missing, the process exits immediately rather than starting with an incomplete configuration that could cause unpredictable behavior.
Slash command option types are enforced by the Discord API itself — users cannot submit a STRING where a USER or INTEGER is expected. This eliminates an entire class of injection risks at the input boundary.
All database queries use Prisma ORM (^5.10.0), which generates parameterized prepared statements. Raw SQL injection through user-supplied input is not possible through standard Prisma query methods.

Secrets and the .env File

The .env file contains highly sensitive credentials including bot tokens, database passwords, and the OAuth2 client secret. It must never be committed to version control. It is listed in .gitignore — verify this with git check-ignore .env before every push.
Incorrect — never do this:
// index.js — this exposes your secrets if pushed to GitHub
const TOKEN = "your_bot_token_here_1234567890";
const DB_PASSWORD = "mypassword123";
Correct — always use environment variables:
# .env (NOT committed — gitignored)
BOT_TOKEN_GENERAL=your_bot_token_general_here
BOT_TOKEN_WHITELIST=your_bot_token_whitelist_here
DB_HOST=localhost
DB_USER=root
DB_PASSWORD=your_db_password
DB_NAME=capi_netta
DISCORD_CLIENT_ID=your_client_id
DISCORD_CLIENT_SECRET=your_client_secret
// index.js — read from environment at runtime
const TOKEN = process.env.BOT_TOKEN_GENERAL;
const DB_PASSWORD = process.env.DB_PASSWORD;
Use .env.example (committed, no real values) to document which variables are required for other contributors.

Production Deployment Security Checklist

Before deploying to a production server, verify:
  • .env is present with real credentials and not committed to the repository
  • git check-ignore .env confirms .env is gitignored
  • HTTPS is enabled on the dashboard (via Nginx/Apache reverse proxy + Let’s Encrypt)
  • Dashboard port (default 3000) is firewalled and not directly exposed to the public internet
  • MariaDB is configured with a non-root user with minimum required privileges
  • Automatic database backups are scheduled (e.g., via cron + mysqldump)
  • NODE_ENV=production is set in .env
  • PM2 is configured with automatic restart (npm run prod)
  • Log rotation is configured to prevent disk exhaustion

Dependency Auditing

Run npm audit regularly to check for known CVEs in project dependencies:
# Check for vulnerabilities
npm audit

# Attempt automatic fixes (review changes carefully)
npm audit fix

# Report moderate-and-above severity issues
npm audit --audit-level=moderate
Policy: Critical dependency vulnerabilities are patched immediately. Non-critical issues are addressed in the next scheduled release.

Audit Logging

All sensitive actions performed through the bot are logged and stored for 90 days (configurable via config.js). Logged events include:
  • Configuration changes via /setup and /config
  • Moderation actions (warns, kicks, bans, unmutes)
  • Ticket creation and closure (with transcripts)
  • Role assignments and removals
  • Dashboard access and configuration edits

Acknowledgements

The team thanks the security community for responsible disclosure. All verified reports will be credited in CHANGELOG.md with the reporter’s consent. Useful references:
Last updated: January 29, 2026

Build docs developers (and LLMs) love