Drawpile security depends on how you run the dedicated server (drawpile-srv) and whether sessions are public or authenticated. The highest-risk areas are open guest sessions, weak room passwords, and exposed admin endpoints.
- Disable unrestricted guest access for private deployments.
- Use registered users, per-session passwords, or external auth (
--ext-auth-script) for controlled groups.
- Separate moderator accounts from normal participants.
- Disable or tightly restrict remote server administration features.
¶ 2) Harden network exposure and TLS
- Expose only required Drawpile service ports.
- Terminate TLS at reverse proxy or enable TLS directly where supported.
- Restrict admin/control endpoints by IP/VPN.
- Apply rate limiting for connection/session creation to reduce abuse.
¶ 3) Limit persistence and data leakage
- Store session recordings and snapshots in restricted directories.
- Define retention windows for old drawings/recordings.
- Encrypt backups that include board contents.
- Remove abandoned public sessions automatically.
¶ Verification commands
sudo ss -tulpn | grep -E ':27750|:443|:80'
sudo grep -R "auth\|guest\|password\|session" /etc/drawpile /opt/drawpile 2>/dev/null | head
sudo find /var/lib/drawpile -maxdepth 2 -type d -ls
- Drawpile documentation: https://drawpile.net/
- Drawpile source code: https://github.com/drawpile/Drawpile
- Drawpile dedicated server docs: https://github.com/drawpile/Drawpile/tree/master/doc