Skip to content

Security: FinnGrndl/Nuclear-Option-Server-Panel

Security

docs/security.md

Security Notes

Defaults

  • The panel binds to 127.0.0.1 by default.
  • Use a reverse proxy with TLS for external admin access.
  • Prefer Tailscale or WireGuard VPN-only admin access.
  • First-run login forces the default admin password to be changed.
  • Panel passwords are stored as hashes.
  • Mutating browser requests use a session CSRF token.
  • Login attempts are rate-limited and repeated failures can block non-local IPs.
  • Discord tokens, webhooks, Steam credentials, server passwords, and cluster secrets must not be logged.

Docker Server Containers

Recommended defaults:

  • non-root container user
  • no SSH in the container
  • no secrets baked into images
  • no panel secrets passed to game containers
  • no Docker socket mounted into game containers
  • no-new-privileges
  • cap_drop: ALL where compatible
  • pids_limit
  • CPU/RAM limits
  • expose only game UDP and query UDP publicly
  • keep command TCP bound to localhost/private networks

read_only: true is a useful hardening goal, but validate compatibility first because SteamCMD auto-update and some server writes require writable paths.

Docker Install/Update Actions

Install and update actions are admin-only panel operations and run through the Docker CLI. They install server files into a persistent game volume, not into the panel container.

Steam credentials are optional and must not be baked into images. The current default is anonymous SteamCMD login. SteamCMD output returned by runtime helpers is redacted before it reaches the UI/API.

Starting a Docker game server without NuclearOptionServer.x86_64 is prevented by the runtime helper unless INSTALL_ON_START=true is explicitly configured.

Admin Access

Do not expose the Flask development server directly to the internet. Put it behind a reverse proxy and enable secure cookies once HTTPS is active.

The command TCP port should not be internet-facing. If it must be reachable remotely, bind it to a private interface or tunnel and document the risk.

Safe access guides:

File Handling

Validate:

  • server names
  • ports
  • JSON config
  • mission filenames
  • bind mount paths
  • gallery/download filenames

Use path containment checks for all file access that resolves user-provided names.

There aren't any published security advisories