Request for Security Documentation Improvement #224
Description
I have noticed that the VRChat Creation documentation lacks sufficient information on world security.
With the advancement of AI chatbots and code generation tools, the accessibility of VRChat world creation has significantly improved. Now, even beginner developers can implement complex features with minimal programming knowledge. However, this increased accessibility also raises the risk of security mistakes due to a lack of understanding.
Therefore, it is crucial to provide clear documentation on security best practices to help beginner developers create VRChat worlds safely and securely.
Specifically, I believe it would be beneficial to include details on the following security concerns:
-
Network Synchronization Security
Since synchronized variables in Udon can potentially be manipulated by clients, it is essential to carefully verify them on the instance owner (server) side.
Proper documentation on this would be helpful. -
Persistence API Security
The fact that data stored using the Persistence API can be accessed by anyone should be clearly emphasized in the documentation.
It would also be helpful to include security best practices, especially regarding storing sensitive data. -
IP Logging Vulnerability via External URLs
Currently, it is possible to collect users' IP addresses by utilizing external URLs.
Adding security recommendations or preventive measures for this issue in the documentation would be beneficial. -
Clarification on External URL Restrictions
The documentation should provide a clear explanation of why only predefined or user-input URLs are allowed when using external URLs.
Understanding the reasoning behind this restriction would help developers make informed decisions regarding external API usage.