WBO is a simple collaborative board service with public/private board modes. Main risks are unauthorized board access, brute-force room discovery, and exposed websocket endpoints.
¶ 1) Restrict board creation and access policy
- Disable open anonymous board creation for private deployments.
- Use board passwords or auth integration for internal rooms.
- Shorten board URL entropy exposure in shared/public channels.
- Rotate/close old rooms that remain public unnecessarily.
¶ 2) Harden websocket and reverse proxy setup
- Enforce HTTPS and WSS only.
- Restrict allowed origins to your own WBO domain.
- Apply connection and request rate limiting to reduce abuse.
- Restrict admin/debug endpoints by IP/VPN.
¶ 3) Protect persistence and logs
- Keep board persistence data in restricted service directories.
- Avoid logging sensitive room identifiers where possible.
- Encrypt backups of persistent boards.
- Set retention for inactive board data.
¶ Verification commands
sudo ss -tulpn | grep -E ':80|:443|:5001|:8080'
grep -R "origin\|auth\|rate\|board" /opt/wbo /etc/wbo 2>/dev/null | head
docker compose -f /opt/wbo/docker-compose.yml logs --tail=200 2>/dev/null | grep -Ei 'forbidden|origin|rate|auth'
- WBO docs/site: https://wbo.ophir.dev/
- Whitebophir repository: https://github.com/lovasoa/whitebophir
- Whitebophir security/advisories: https://github.com/lovasoa/whitebophir/security