Skip to content

Security

Network access

VODUM_IP_FILTER=1
VODUM_ALLOWED_NETS=127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Behind a reverse proxy, enable forwarded-header trust only for its network:

VODUM_TRUST_PROXY=1
VODUM_TRUSTED_PROXY_NETS=127.0.0.1/32,::1/128,172.18.0.0/16

Use HTTPS, a firewall and the narrowest possible CIDRs.

Web protections

VODUM requires administrator authentication, rate-limits failed logins, rejects unsafe external next redirects and applies CSRF validation to POST/PUT/PATCH/ DELETE requests. Cookies are HttpOnly; SameSite and Secure are configurable.

Secrets and backups

SMTP passwords, Discord tokens and provider tokens are encrypted in SQLite. The persistent key defaults to /appdata/vodum.encryption_key and may be changed with VODUM_ENCRYPTION_KEY_FILE or supplied using VODUM_ENCRYPTION_KEY.

Full ZIP backups contain the key and encrypted values. Raw databases do not. Treat both logs and backups as sensitive.

Upload limits

VODUM_MAX_UPLOAD_MB, VODUM_MAX_ZIP_EXTRACTED_MB and VODUM_MAX_ZIP_MEMBERS bound requests and restored archives. A reverse proxy must allow the desired request size too.