Excalidraw has a split model: drawing data can be local/end-to-end encrypted, while collaboration needs a separate room server. Harden both web frontend and collaboration backend together.
¶ 1) Patch quickly and track advisories
- Follow Excalidraw GitHub security advisories and release updates.
- Patch collaboration server and frontend in the same maintenance window.
- Validate share-link and room-join behavior after upgrades.
- Remove old static bundles after deployment to avoid stale vulnerable assets.
- Keep collaboration websocket endpoint behind HTTPS/WSS only.
- Restrict allowed origins to your Excalidraw frontend domain.
- Apply connection/session rate limits at reverse proxy.
- Isolate collaboration service from unrelated workloads.
¶ 3) Protect privacy and sharing boundaries
- Prefer local file workflows for highly sensitive diagrams.
- Use expiring/private share links in surrounding application logic.
- Do not expose room IDs or collaboration secrets in logs.
- Keep telemetry optional/disabled per policy.
¶ Verification commands
sudo ss -tulpn | grep -E ':443|:80|:3000|:3002'
grep -R "origin\|ws\|collab\|secret" /opt/excalidraw /etc/excalidraw 2>/dev/null | head
sudo journalctl -u excalidraw* --since '24 hours ago' | grep -Ei 'error|forbidden|origin|ws' 2>/dev/null
- Excalidraw docs: https://docs.excalidraw.com/
- Excalidraw repository: https://github.com/excalidraw/excalidraw
- Excalidraw security advisories: https://github.com/excalidraw/excalidraw/security/advisories