Skip to main content

Security Guide

Security considerations for running SigmaOrders.

Payment Securityโ€‹

Keep the default ESCROW method - funds are held until delivery is confirmed, refunded automatically on cancellation/expiration, preventing fraud and chargebacks. The plugin validates balances, escrow state, and blocks negative-balance and concurrent-operation exploits on every transaction.

Permissionsโ€‹

Apply least privilege: minimal access for new players, standard access for regular players, full access restricted to a separate admin group. Don't grant sigmaorders.admin to regular players. Review permissions periodically and test changes before applying broadly. See Permissions Overview for the full node list and LuckPerms Examples for setup commands.

Data Securityโ€‹

SQLite: restrict database.db file permissions to the server user, back up regularly, keep it in a secure directory.

MySQL: use strong passwords, grant only necessary privileges, restrict network access (ideally SSL), back up regularly.

Enable transaction logging for an audit trail:

transaction-logging:
enabled: true
format: DETAILED
log-creation: true
log-payments: true
log-refunds: true
log-deliveries: true

Input Validationโ€‹

Order creation enforces price limits, quantity limits, the item blacklist, and cooldowns. Delivery enforces item-match verification, quantity limits, order-status checks, and concurrent-delivery protection.

Blacklistโ€‹

Item and player blacklists prevent griefing/exploit items and bad actors from creating or fulfilling orders. Full config keys and examples: Blacklist Configuration.

API Securityโ€‹

If using the API: validate all inputs, check permissions before operations, handle errors gracefully, never expose sensitive data.

// Always validate inputs
if (orderId <= 0) {
return CompletableFuture.completedFuture(false);
}

// Check permissions
if (!player.hasPermission("sigmaorders.admin")) {
return CompletableFuture.completedFuture(false);
}

// Handle errors
try {
// API call
} catch (Exception e) {
// Log and handle error
}

Server Securityโ€‹

Restrict plugin folder, database file, config files, and log files to the server user only. If using MySQL, use SSL connections, restrict access by IP, use strong passwords, and keep the database server patched.

Security Checklistโ€‹

  • Escrow system enabled (default)
  • Permissions configured with least privilege
  • Database secured (file permissions or MySQL access controls)
  • Transaction logging enabled
  • Blacklist configured
  • Regular backups scheduled
  • Admin permissions restricted to a dedicated group
  • Plugin kept up to date

See Alsoโ€‹