Discourse Security

Is there an architectural or network diagram available for Discourse? Or are there documents that discuss Discourse security? Which ports are in use? Which services? Anything to convince a security review team that Discourse is a secure service suitable for hosting confidential discussions?


1 Like

Hey Cristy,

Welcome to the community.

Here are a list of customers that uses Discourse. There are quite a few well known companies, that trust Discourse. If they trust discourse, who am I to question :slight_smile:

From our README:

We take security very seriously at Discourse; all our code is 100% open source and peer reviewed. Please read our security guide for an overview of security measures in Discourse, or if you wish to report a security issue.

1 Like

Its helpful knowing there is a large user community that utilizes Discourse. But it does remind me of a Monty Python skit where they build a block of flats that include a hallway of rotating knives-- “don’t worry you’ll be fine. Others have bought this same home and we have not received a single complaint.” I wonder why? :slight_smile:

I get the overall architecture with the Docker container, Ruby, PostgresSQL, and only one port exposed by default (80). However, I’m thinking out of those thousands of customers, I can’t be the first to be concerned about understanding the security issues surrounding Discourse.

Hey @cristy, check out the page Gerhard linked to. You may also be interested in our Security brief | Discourse - Civilized Discussion.

I previously read the security guide-- and your commitment to security gets us most of the way there. However, it does not go deep into precisely which services are utilized, which ports, how they are connected, points of vulnerability, etc. I am trying to surmise this myself but as I did not develop Discourse, it will be easy for me to overlook the entirety of the architecture and possible injection points in regard to overall security. If nothing is readily available, I’ll attempt to reconstruct the architecture myself. But if someone in the user base has already done this work, please share.

Well, if Discourse points all of this out, then it makes themselves vulnerable as then hackers will know how to.