Session protected
OAuth tokens stay encrypted on the server. Browser code only gets the data needed to render the dashboard.
Security
Discord admin access is checked server-side.
Warnix treats every server setting as privileged. The dashboard verifies the signed-in Discord user, the guild permission, the bot state, and the request token before saving changes.
Permission checked
Each protected route verifies Discord Administrator access for the exact guild being managed.
Safe mutations
Settings updates use CSRF verification, request validation, rate limits, and audit-friendly persistence.
Security controls
Discord Bot Token stays server-side and is never returned to Client Components.
Guild settings endpoints require an active session, verified guild membership, and Administrator permission.
POST and PATCH requests require CSRF verification tied to the server session.
OAuth and AI secrets are stored encrypted or redacted from responses.
Unknown setting keys are blocked by settingsConfig and Zod validation.
Rate limits protect authentication, guild reads, and settings mutations.