Quick Json Security question

Happy May everyone :wave:

Talking with our Security team they were curious why the userid is in the json for the categories and exactly are these json are there for?

Their primary concern about is for example, if we decide to delist a topic due to security reasons (which we have done before), could this metadata somehow leak them?

I appreciate the feedback, thank you!

1 Like

Hey Jim :wave:

I’m not sure I understand the question exactly, can you elaborate a little more?

We use JSON to send all information between the server and the client in Discourse. User IDs are included regularly, and are not considered secret.

Unlisting a topic will remove it from any topic lists. This is done server-side, so yes they will disappear from the JSON payload for unprivileged accounts.

Of course, if someone already has the link for the topic, then they could still view the unlisted topic. If you need to completely secure a topic, then it’s best to convert it to a PM.


This helped put their minds at ease. Thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.