tldraw self-hosting typically combines a frontend app with optional sync/back-end components. Security posture depends on authenticated room access, strict origin controls, and safe storage of collaboration state.
- Require user authentication before room/document access.
- Prevent predictable public room IDs for private boards.
- Restrict write permissions by role in your app integration layer.
- Expire invitation links and collaboration tokens.
¶ 2) Harden sync service and storage
- Keep sync server and backing database on private networks.
- Enforce TLS for all client and server traffic.
- Restrict allowed origins/CORS to trusted domains.
- Apply per-user/per-room rate limits to prevent sync abuse.
¶ 3) Secure uploads and embedded content
- Validate file uploads and limit MIME types/sizes.
- Store uploaded assets outside web root or behind signed access.
- Scan imported files for malware in enterprise setups.
- Disable unnecessary embed providers in untrusted environments.
¶ Verification commands
sudo ss -tulpn | grep -E ':443|:80|:3000|:8787'
grep -R "auth\|origin\|cors\|room\|sync" /opt/tldraw /etc/tldraw 2>/dev/null | head
docker compose -f /opt/tldraw/docker-compose.yml ps 2>/dev/null
- tldraw docs: https://tldraw.dev/
- tldraw self-hosting docs: https://tldraw.dev/docs/sync/self-hosting
- tldraw repository: https://github.com/tldraw/tldraw
- tldraw security advisories: https://github.com/tldraw/tldraw/security