Administration

Data Layout

This section provides an overview of the user data storage structure in SillyTavern. Only the default data layout (data root is a subdirectory of the SillyTavern installation directory) is described here. If you have customized the data layout, refer to your custom configuration for details.

data/[user-handle] (e.g. data/default-user)

Created for each user account, this folder contains user-specific data such as character files, conversation history, and settings.

data/_cache

A storage for files downloaded by the server, such as tokenizer files and transformers.js models.

data/_cache/characters

Contains parsed character data when the performance.useDiskCache setting is enabled, synchronized on startup and when characters are updated.

This allows for faster loading of character data at the cost of disk space.

data/_css

A storage for custom CSS files.

Currently, only the user.css file is supported, which allows you to add custom styles to the frontend.

data/_errors

A storage of HTML files containing error pages for various HTTP status codes. These files are used to display custom error pages when the server encounters errors.

• forbidden-by-whitelist.html: Displayed when a request is blocked by the IP address whitelist.
• host-not-allowed.html: Displayed when a request is blocked by the host whitelist.
• unauthorized.html: Displayed when the basic authentication fails.
• url-not-found.html: Displayed when a requested resource is not found.

data/_storage

A storage for user account data.

Editing these files manually is not recommended and can lead to data corruption.

data/_uploads

A temporary storage for files uploaded by users, while they are being processed by the server.

These files are automatically cleared on every startup.

data/_webpack

A storage for compiled webpack assets and cache files.

If you experience issues with the frontend after an update, try clearing this folder to force a full rebuild of the frontend assets.

data/access.log

A log file that records incoming HTTP requests to the server, after the first successful connection.

Inspect this file regularly to monitor for any suspicious activity.

data/cookie-secret.txt

Contains the secret key used for signing cookies in the server.

This file is automatically generated on the first startup if it doesn't exist.

Security checklist

These are just recommendations. Please consult a web application security specialist before making your ST instance live.

1. Keep your operating system and runtime software, such as Node.js, up to date. This ensures your system has the latest security patches and fixes, which helps prevent potential vulnerabilities.
2. Use a whitelist and a network firewall. Only allow trusted IP ranges to access the server.
3. Enable basic authentication. It acts as a "master password" before you can access the front-end app.
4. Alternatively, configure external authentication. Some known services for this are Authelia and authentik. See the SSO guide for details.
5. Never leave admin accounts without passwords. The server will warn you on startup if you have any unprotected admin accounts.
6. Use the discreet login setting outside the local network. This hides the user list from potential outsiders.
7. Check the access logs often. They are written to the server console and to the access.log file and provide information about incoming connections, such as IP address and user agent.
8. Configure HTTPS. For a localhost server, you can generate and use a self-signed certificate. Otherwise, you may need to deploy a reverse-proxy web server such as Traefik or Caddy.
9. Configure and enable host whitelisting, especially if you're not using HTTPS encryption on a local network.
10. Configure and enable private address whitelisting to prevent SSRF attacks.

Find more information about secure proxying in the following guide: Reverse Proxying SillyTavern.