Security Guide
Security considerations and best practices for SigmaOrders.
Payment Securityโ
Escrow Systemโ
The escrow system provides secure payments:
- Money held until delivery confirmed
- Prevents fraud and chargebacks
- Automatic refund on cancellation/expiration
Always use ESCROW (default) - it's the most secure method.
Transaction Validationโ
The plugin validates all transactions:
- Balance checks before operations
- Escrow balance validation
- Negative balance protection
- Concurrent operation safety
Permission Securityโ
Principle of Least Privilegeโ
Give players only necessary permissions:
# New players: minimal access
/lp group default permission set sigmaorders.use true
/lp group default permission set sigmaorders.fulfill true
# Regular players: standard access
/lp group player permission set sigmaorders.* true
# Admins: full access
/lp group admin permission set sigmaorders.* true
Admin Permissionsโ
Protect admin permissions:
- Don't give
sigmaorders.adminto regular players - Use separate admin group
- Review permissions regularly
- Test permission changes
Data Securityโ
Database Securityโ
SQLite:
- File permissions: Restrict access to server user only
- Regular backups: Protect against data loss
- File location: Keep in secure directory
MySQL:
- Strong passwords: Use complex passwords
- Limited privileges: Grant only necessary permissions
- Network security: Restrict database access
- Regular backups: Protect against data loss
Transaction Loggingโ
Enable transaction logging for audit trail:
transaction-logging:
enabled: true
format: DETAILED
log-creation: true
log-payments: true
log-refunds: true
log-deliveries: true
Input Validationโ
Order Creationโ
All inputs are validated:
- Price limits enforced
- Quantity limits enforced
- Item blacklist checked
- Cooldown enforced
Delivery Validationโ
Deliveries are validated:
- Item matching verified
- Quantity limits enforced
- Order status checked
- Concurrent delivery protection
Blacklist Securityโ
Item Blacklistโ
Use blacklist to prevent problematic items:
blacklist:
enabled: true
items:
- BEDROCK
- BARRIER
- COMMAND_BLOCK
- SPAWNER
Player Blacklistโ
Blacklist problematic players:
blacklist:
enabled: true
players:
- "player-uuid-here"
- "player-name-here"
API Securityโ
API Accessโ
If using the API:
- Validate all inputs
- Check permissions before operations
- Handle errors gracefully
- Don't expose sensitive data
API Best Practicesโ
// Always validate inputs
if (orderId <= 0) {
return CompletableFuture.completedFuture(false);
}
// Check permissions
if (!player.hasPermission("sigmaorders.admin")) {
return CompletableFuture.completedFuture(false);
}
// Handle errors
try {
// API call
} catch (Exception e) {
// Log and handle error
}
Server Securityโ
File Permissionsโ
Restrict file access:
- Plugin folder: Server user only
- Database file: Server user only
- Config files: Server user only
- Log files: Server user only
Network Securityโ
If using MySQL:
- Use secure connections (SSL)
- Restrict database access by IP
- Use strong passwords
- Regular security updates
Best Practicesโ
- Regular Updates: Keep plugin updated
- Backup Regularly: Protect against data loss
- Monitor Logs: Watch for suspicious activity
- Review Permissions: Regular permission audits
- Secure Database: Use strong passwords and access controls
Security Checklistโ
- Escrow system enabled
- Permissions configured correctly
- Database secured (file permissions or MySQL security)
- Transaction logging enabled
- Blacklist configured
- Regular backups scheduled
- Admin permissions restricted
- Input validation working
- Error handling in place
- Security updates applied
Related Documentationโ
- Permissions - Permission setup
- Configuration - Security settings
- Best Practices - General best practices