Security Guide
Security considerations and best practices for SigmaOrders.
Payment Security
Escrow System
The escrow system provides secure payments:
- Money held until delivery confirmed
- Prevents fraud and chargebacks
- Automatic refund on cancellation/expiration
Always use ESCROW (default) - it's the most secure method.
Transaction Validation
The plugin validates all transactions:
- Balance checks before operations
- Escrow balance validation
- Negative balance protection
- Concurrent operation safety
Permission Security
Principle of Least Privilege
Give players only necessary permissions:
# New players: minimal access
/lp group default permission set sigmaorders.use true
/lp group default permission set sigmaorders.fulfill true
# Regular players: standard access
/lp group player permission set sigmaorders.* true
# Admins: full access
/lp group admin permission set sigmaorders.* true
Admin Permissions
Protect admin permissions:
- Don't give
sigmaorders.adminto regular players - Use separate admin group
- Review permissions regularly
- Test permission changes
Data Security
Database Security
SQLite:
- File permissions: Restrict access to server user only
- Regular backups: Protect against data loss
- File location: Keep in secure directory
MySQL:
- Strong passwords: Use complex passwords
- Limited privileges: Grant only necessary permissions
- Network security: Restrict database access
- Regular backups: Protect against data loss
Transaction Logging
Enable transaction logging for audit trail:
transaction-logging:
enabled: true
format: DETAILED
log-creation: true
log-payments: true
log-refunds: true
log-deliveries: true
Input Validation
Order Creation
All inputs are validated:
- Price limits enforced
- Quantity limits enforced
- Item blacklist checked
- Cooldown enforced
Delivery Validation
Deliveries are validated:
- Item matching verified
- Quantity limits enforced
- Order status checked
- Concurrent delivery protection
Blacklist Security
Item Blacklist
Use blacklist to prevent problematic items:
blacklist:
enabled: true
items:
- BEDROCK
- BARRIER
- COMMAND_BLOCK
- SPAWNER
Player Blacklist
Blacklist problematic players:
blacklist:
enabled: true
players:
- "player-uuid-here"
- "player-name-here"
API Security
API Access
If using the API:
- Validate all inputs
- Check permissions before operations
- Handle errors gracefully
- Don't expose sensitive data
API Best Practices
// Always validate inputs
if (orderId <= 0) {
return CompletableFuture.completedFuture(false);
}
// Check permissions
if (!player.hasPermission("sigmaorders.admin")) {
return CompletableFuture.completedFuture(false);
}
// Handle errors
try {
// API call
} catch (Exception e) {
// Log and handle error
}
Server Security
File Permissions
Restrict file access:
- Plugin folder: Server user only
- Database file: Server user only
- Config files: Server user only
- Log files: Server user only
Network Security
If using MySQL:
- Use secure connections (SSL)
- Restrict database access by IP
- Use strong passwords
- Regular security updates
Best Practices
- Regular Updates: Keep plugin updated
- Backup Regularly: Protect against data loss
- Monitor Logs: Watch for suspicious activity
- Review Permissions: Regular permission audits
- Secure Database: Use strong passwords and access controls
Security Checklist
- Escrow system enabled
- Permissions configured correctly
- Database secured (file permissions or MySQL security)
- Transaction logging enabled
- Blacklist configured
- Regular backups scheduled
- Admin permissions restricted
- Input validation working
- Error handling in place
- Security updates applied
Related Documentation
- Permissions - Permission setup
- Configuration - Security settings
- Best Practices - General best practices