If you find a security issue, do not open a public issue. Instead:
- Email the maintainer directly, or
- Use GitHub's private vulnerability reporting
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
You should receive a response within 48 hours.
SandPanel runs as a Docker container with network_mode: host and manages game server processes. Security-relevant areas include:
- Authentication — session-based login with bcrypt password hashing
- RCON — plaintext protocol (inherent to Source RCON); keep RCON port firewalled
- API — all endpoints (except
/api/gamestats) require session auth - File access — backend reads/writes game configs and state files within mounted volumes
- Process execution — backend spawns the game server binary and SteamCMD
- Change the default RCON password in
.env - Don't expose port 8080 (backend API) to the internet — only the frontend port
- Keep the Docker socket mount commented out unless you need self-update features
- Use a reverse proxy with TLS for public-facing deployments