Releases: FlaxiGG/ServerWebAdmin
Release list
MinePanel v1.6.0 — Accountability & Audit Update
🚀 Overview
MinePanel v1.6.0 introduces a brand-new Audit Log System, providing complete visibility into administrative activities performed through the web panel.
Server owners can now review important actions performed by administrators, making MinePanel significantly more suitable for production environments.
This release focuses on accountability, transparency, and operational security.
✨ New Features
📝 Audit Log System
Added a dedicated Audit Logs page for reviewing administrative activities.
Each audit entry records:
- Timestamp (UTC)
- Username
- Role
- IP Address
- Severity
- Action
- Target
- Status
- Additional Details
🔎 Powerful Search & Filtering
Audit logs can now be filtered by:
- Username
- Role
- Action
- Severity
- Status
- Date
- Search keyword
Sorting:
- Newest First
- Oldest First
🚦 Severity Levels
Every event is automatically classified by severity.
Supported levels:
- 🟢 INFO
- 🟡 WARNING
- 🔴 CRITICAL
This makes important actions easy to identify at a glance.
📂 Audit Categories
MinePanel now records activities across multiple modules.
Supported categories include:
Authentication
- Login Success
- Login Failed
- Logout
- Password Changed
- Session Expired
User Management
- User Created
- User Updated
- User Deleted
- Role Changed
- Password Reset
Player Management
- Kick
- Ban
- Unban
- Heal
- Feed
- Kill
- Gamemode
- Teleport
File Manager
- File Created
- File Edited
- File Deleted
- File Uploaded
- File Downloaded
- File Renamed
- File Moved
- Directory Created
- Directory Deleted
Server Operations
- Save
- Reload
- Stop
Console
- Console Commands
Settings
- Configuration Changes
- Host Changes
- Port Changes
- Session Timeout Changes
🔐 Permission Protected
Audit Logs are fully integrated with the existing permission system.
Current permissions:
- Owner → Full access
- Admin → View access
- Moderator → No access
- Viewer → No access
Unauthorized access returns:
403 Permission Denied
⚡ Performance Improvements
Designed for long-term production usage.
Features include:
- In-memory caching
- Efficient filtering
- Fast searching
- Runtime updates
- Configurable log retention
The system is designed to support thousands of audit records efficiently.
🏗 Internal Improvements
Added:
- AuditLogManager
- Audit Controller
- Audit Models
- Severity System
- Status System
- Action Enums
- Storage Abstraction Layer
- JSON Storage Provider
The architecture has been designed to support future storage providers (SQLite, databases) without changing business logic.
🔒 Security
Sensitive information is never stored inside audit logs.
Excluded data:
- Passwords
- BCrypt hashes
- Session Tokens
- Cookies
- Recovery Codes
- 2FA Secrets
🎯 Foundation for Future Versions
The Audit System prepares MinePanel for future features, including:
- Backup & Restore
- Security Enhancements
- MineCore Integration
- Multi-module Ecosystem
❤️ Thank You
Thank you to everyone who continues testing MinePanel, reporting bugs, and suggesting new features.
Community feedback continues to shape the future of the project.
Built with ❤️ by FlaxiLabs
MinePanel v1.5.0 — Settings Center Update
MinePanel v1.5.0 introduces a new Settings Center, allowing server owners to manage important MinePanel configuration directly from the web panel.
This update reduces the need to manually edit config.yml and makes MinePanel feel more like a complete Minecraft server management panel.
New Feature — Settings Center
Added a dedicated Settings page for managing MinePanel configuration from the browser.
Available settings include:
- Web Server Settings
- Security Settings
- Alert Message Settings
- Account Settings
Web Server Settings
You can now manage web server configuration directly from the panel.
Supported options:
- Web host
- Web port
- Allow external access
- Safe fallback binding
When web server settings are saved, MinePanel safely restarts the embedded NanoHTTPD web server.
The restart process now waits until the HTTP response is sent before restarting, preventing socket closed errors.
Security Settings
Added web-based security configuration.
Supported options:
- Session timeout
- Auto logout behavior
- Login/session related security options
This makes it easier to adjust security behavior without manually editing configuration files.
Alert Message Settings
Alert messages can now be edited from the Settings page.
Supported messages include:
- Kick message
- Ban reason
- Ban kick message
- Reload confirmation message
- Server stop warning message
Account Settings
Users can now manage their own account information.
Supported actions:
- View username
- View current role
- Change own password
This allows users to update their password without requiring access to the User Management page.
Permission-Based Settings Access
Settings access is integrated with the existing role permission system.
Protected settings are only visible to users with the required permissions.
Unauthorized API requests return:
{
"success": false,
"message": "Permission denied"
}File Manager Update
MinePanel v1.4.0 — File Manager Update
This update introduces one of the most requested features from the community.
MinePanel now includes a built-in File Manager, allowing server owners to manage server files directly from the web panel without accessing FTP or SSH.
This feature focuses on safe file management while keeping server security as the highest priority.
✨ New Feature — File Manager System
MinePanel now supports direct file management inside the web panel.
Available functions:
- Browse files and folders
- Read text-based files
- Edit and save configuration files
- Upload files
- Download files
- Create folders
- Rename files and folders
- Delete files and folders
This allows server owners to manage important server files directly from the browser.
📂 File Browser
Added a new File Manager page.
Supported:
- Folder navigation
- Parent directory navigation
- File size display
- File type detection
- Folder/file separation
Users can now browse server files without leaving MinePanel.
📝 Built-in Text Editor
Added a lightweight built-in text editor.
Features:
- Monospace editor layout
- Line number support
- UTF-8 safe file handling
- Direct file save
Supported editable file types:
- .txt
- .yml
- .yaml
- .json
- .properties
- .log
- .conf
- .toml
- .xml
This makes editing configuration files much easier.
⬆ File Upload System
Added file upload support.
Implementation:
- multipart/form-data upload handling
- NanoHTTPD native body parsing
- Maximum upload size limit (5MB)
Supported upload types:
- png
- jpg
- txt
- json
- yml
- yaml
- properties
- log
Unsafe file types are blocked automatically.
⬇ Direct File Download
Added direct file download support.
Implementation:
- Native NanoHTTPD file streaming
- Content-Disposition attachment support
- Binary-safe downloads
No Base64 encoding is used.
This reduces memory usage and improves performance.
📁 Folder Management
Added folder management features.
Supported:
- Create folder
- Rename file/folder
- Delete file/folder
Delete operations now require confirmation before execution.
🔐 New File Permissions System
Added new permissions for role-based access.
New permissions:
- files.view
- files.read
- files.edit
- files.upload
- files.download
- files.delete
- files.rename
- files.mkdir
Permission mapping:
Owner
Full file access
- files.*
Admin
Limited file access
- files.view
- files.read
- files.edit
- files.download
Moderator
No file access
Viewer
No file access
🛡 Security Improvements
File Manager was designed with security as a priority.
Added protections:
Path Traversal Protection
Blocked dangerous path access attempts such as:
../
../../
C:\
/etc/
Windows/System32
All paths now use canonical path validation.
Dangerous File Blocking
Blocked dangerous file types:
.jar
.class
.exe
.bat
.sh
.dll
These files cannot be uploaded or edited.
Server Core Protection
Blocked access to server core files.
Protected examples:
paper.jar
spigot.jar
server.jar
This prevents accidental server corruption.
Large File Protection
Files larger than the safe editor limit cannot be opened in the editor.
This prevents memory spikes caused by extremely large files.
🛡 3-Layer Permission Protection
File Manager uses the same security architecture as RBAC.
Layer 1 — Sidebar Protection
Users without file permissions cannot see File Manager navigation.
Layer 2 — Frontend Protection
Restricted users cannot open File Manager pages.
Displayed message:
You are not able to see this
Layer 3 — Backend API Protection
All file APIs validate permissions server-side.
Direct unauthorized API requests using:
- curl
- Postman
- Browser requests
Return:
{
"success": false,
"message": "Permission denied"
}⚙ Internal Changes
Added systems:
- FileManagerService.java
- Native multipart upload handler
- Native binary file streaming
- Text file editor system
- Path validation system
- Dangerous file filtering
- File permission middleware
- Frontend file browser UI
Notes
This version focuses on Safe File Management.
Advanced features are intentionally not included in this release.
Not included in this version:
- ZIP / Unzip
- Plugin JAR upload
- Backup system
- Cloud backup
- Syntax highlighting editor
- Plugin Manager
- File version history
These may be considered in future versions.
Compatibility
Minecraft Versions
- 1.13.2+
- Tested up to 26.2
Java Versions
- Java 8+
- Tested on Java 8 / Java 21 / Java 25
Supported Server Software
- Spigot
- Paper
- Purpur (Experimental)
Thank you to everyone providing feedback and helping improve MinePanel.
MinePanel continues evolving based on real community feedback.
More updates coming soon 🚀
Role-Based Access Control Update
MinePanel v1.3.0 — Role-Based Access Control Update
This update introduces one of the biggest improvements to MinePanel so far.
MinePanel now supports multi-user access with a complete fixed role-based permission system, allowing server owners to safely manage staff access across the web panel.
This update was built directly from community feedback.
✨ New Feature — Role Based Access Control (RBAC)
MinePanel now supports 4 fixed permission roles.
Available roles:
- Owner
- Admin
- Moderator
- Viewer
Each role has different access permissions inside the panel.
👑 New Default Account System
The default account has been changed.
Before:
admin / admin123
Now:
owner / admin123
Default account properties:
role = owner
mustChangePassword = true
The first login still requires a mandatory password change for security.
🔐 Permission Roles
Owner
Full access to everything.
Permissions:
- Dashboard
- Players Management
- Console View
- Console Commands
- Ban Management
- Whitelist Management
- Weather / Time Controls
- Player Actions (Kick, Ban, Heal, Feed, Kill, Gamemode, Teleport)
- Save Server
- Reload Server
- Stop Server
- User Management
Admin
Administrative access.
Permissions:
- Dashboard
- Players Management
- Console View
- Console Commands
- Ban Management
- Whitelist Management
- Weather / Time Controls
- Player Actions
Restrictions:
- Cannot manage users
- Cannot reload server
- Cannot stop server
Moderator
Basic moderation access.
Permissions:
- Dashboard
- Players List
- Console View
- Kick Players
Restrictions:
- Cannot execute console commands
- Cannot ban players
- Cannot manage whitelist
- Cannot manage users
- Cannot reload or stop server
Viewer
Read-only access.
Permissions:
- Dashboard
- Players List
Restrictions:
- No server actions allowed
🛡 3-Layer Permission Protection
MinePanel now protects restricted actions using 3 security layers.
Layer 1 — Sidebar Protection
Navigation items are automatically hidden if the user does not have permission.
Example:
- No user permission → User Management tab hidden
- No console permission → Console tab hidden
Layer 2 — Frontend Page Protection
If a user tries to manually access a restricted page:
You are not able to see this
The page will be blocked before loading.
Layer 3 — Backend API Protection
All protected API endpoints now validate permissions server-side.
Even if users try direct requests using:
- curl
- Postman
- Browser requests
MinePanel will return:
{
"success": false,
"message": "Permission denied"
}Frontend will automatically show an error toast.
🎨 Frontend Permission-Based UI
Buttons and actions are automatically hidden if the user does not have permission.
Examples:
Hidden automatically:
- Kick button
- Ban button
- Reload Server button
- Stop Server button
- User Management page
- Player action buttons
- Console command input
This keeps the interface clean and prevents accidental misuse.
🔒 Security Rules (User Management)
Additional security protections were added.
Rules:
- Owner account cannot be deleted
- Owner cannot change its own role
- Owner account cannot be created manually through UI
- Only Owner can manage users
- Admin cannot manage users
- Moderator cannot manage users
- Viewer cannot manage users
This prevents privilege mistakes and account lockout scenarios.
📋 Permission Matrix
| Feature | Owner | Admin | Moderator | Viewer |
|---|---|---|---|---|
| Dashboard | ✅ | ✅ | ✅ | ✅ |
| Players List | ✅ | ✅ | ✅ | ✅ |
| Console View | ✅ | ✅ | ✅ | ❌ |
| Console Commands | ✅ | ✅ | ❌ | ❌ |
| Bans List | ✅ | ✅ | ❌ | ❌ |
| Whitelist View | ✅ | ✅ | ❌ | ❌ |
| Whitelist Add/Remove | ✅ | ✅ | ❌ | ❌ |
| Weather / Time Controls | ✅ | ✅ | ❌ | ❌ |
| Kick Player | ✅ | ✅ | ✅ | ❌ |
| Ban / Heal / Feed / Kill / Gamemode / TP | ✅ | ✅ | ❌ | ❌ |
| Save Server | ✅ | ❌ | ❌ | ❌ |
| Reload Server | ✅ | ❌ | ❌ | ❌ |
| Stop Server | ✅ | ❌ | ❌ | ❌ |
| User Management | ✅ | ❌ | ❌ | ❌ |
⚙ Internal Changes
Updated systems:
- New centralized permissions map
- Backend permission middleware (
hasPermission()) - Frontend permission-based UI rendering
- 403 unauthorized API protection
- Updated user account structure with roles
- Updated default account creation flow
- Updated authentication flow to support roles
📌 Notes
This version uses Fixed Roles Only.
Custom Role Editor is not included in this update.
The goal of this release is:
- Simplicity
- Stability
- Better security
- Better multi-user support
Custom roles may be considered in future versions depending on community feedback.
Compatibility
Minecraft Versions
- 1.13.2+
- Tested up to 1.26.2
Java Versions
- Java 8+
- Tested on Java 8 / Java 21 / Java 25
Supported Server Software
- Spigot
- Paper
- Purpur (Experimental)
Thank you to everyone providing feedback and helping improve MinePanel.
MinePanel continues evolving based on real community feedback.
More updates coming soon 🚀
MinePanel v1.2.1 — Compatibility Update
MinePanel v1.2.1 — Compatibility Update
Compatibility
- Added tested support for Minecraft 26.1 - 26.2
- Tested on Java 25
- Confirmed MinePanel core features work on the latest server versions
Notes
- No major code changes were required
- MinePanel is compiled with Java 8 target bytecode for broad compatibility
- Newer Java runtimes such as Java 21 and Java 25 can run the existing build normally
Tested Features
- Web dashboard
- Login system
- Session cookie authentication
- Live console
- Player management
- Network host/port configuration
Network Compatibility Update
MinePanel v1.2.0 — Network Compatibility Update
This release focuses on improving MinePanel compatibility with VPS, local machines, Docker-based hosting, shared Minecraft hosting, Pterodactyl-style environments, NAT port mapping, and reverse proxy setups.
Highlights
Added safer host binding behavior
Added public IP detection and automatic fallback
Added
host: autosupportAdded
fallback-to-anyoptionImproved compatibility with shared hosting providers
Improved reverse proxy support
Improved network error logging
Prevented plugin startup failure caused by invalid public IP binding
Network Binding Improvements
MinePanel now handles more hosting environments safely.
Supported host values:
web:
host: 0.0.0.0
port: 8080
fallback-to-any: true
Supported examples:
0.0.0.0— listen on all interfaces127.0.0.1— local onlylocalhost— normalized to127.0.0.1192.168.x.x— local LAN IPauto— auto-detects the best available LAN hostPublic IPs — now detected and safely redirected to
0.0.0.0
Public IP Binding Fix
Fixed an issue where users could not start MinePanel when using a public IP address in config.yml.
Before
Using:
web:
host: 131.196.x.x
could cause MinePanel to fail because public IP addresses are usually not available as local network interfaces inside Docker, shared hosting, or NAT-based hosting environments.
Now
MinePanel detects public IP addresses and automatically falls back to:
web:
host: 0.0.0.0
This prevents startup failure and improves compatibility with hosting providers that generate or map public ports.
Safe Bind Fallback
Added a new option:
web:
fallback-to-any: true
If MinePanel cannot bind to the configured host, it will automatically try:
0.0.0.0
If fallback is disabled, MinePanel will stop the web server startup safely and print a clear error message instead of crashing the plugin.
Improved Error Logging
Network errors are now easier to understand.
MinePanel now explains possible causes such as:
Docker container environment
Shared Minecraft hosting
Pterodactyl-style hosting
Public IP not assigned to the local machine
Port already in use
Reverse proxy or NAT port mapping setup
The log also recommends fixes such as:
Use
host: 0.0.0.0Use the port generated by your hosting provider
Configure port forwarding correctly
Use Nginx or Cloudflare Tunnel as a reverse proxy
Reverse Proxy Support
MinePanel continues to support reverse proxy environments through X-Forwarded-For detection.
This helps preserve the real client IP when running behind:
Nginx
Cloudflare Tunnel
Reverse proxy systems
Config Update
The config structure remains backward compatible.
Existing users do not need to recreate their config file.
New comments were added to explain:
When to use
0.0.0.0When to use
127.0.0.1Why public IPs should not be used directly
How
fallback-to-anyworks
Compatibility Matrix
Config | Before | v1.2.0 -- | -- | -- host: 0.0.0.0 | Works | Works host: 127.0.0.1 | Works | Works host: localhost | Works | Works host: 192.168.x.x | Works | Works host: auto | Not supported | Supported host: public IP | Failed to bind | Warning + fallback Bind failure | Web server may fail | Safe fallback available fallback-to-any: false | Not available | Clear error, no fallbackChanged Files
config.ymlAdded detailed host binding comments
Added
fallback-to-anyImproved network configuration documentation
ServerWebAdmin.javaRemoved old local-interface-only host validation
Added public IP detection
Added
host: autoAdded safe bind fallback
Improved BindException and IOException logging
Recommended Hosting Config
For most users, especially shared hosting or Pterodactyl-style environments:
web:
host: 0.0.0.0
port: 8080
fallback-to-any: true
Do not set host to your public IP address.
Use the port provided by your hosting panel or configure port forwarding through your hosting provider.
Thank you to the community members who helped test and report hosting compatibility issues.
Major Infrastructure & Dashboard Update
MinePanel v1.1.0 — Major Infrastructure & Dashboard Update
This release introduces major improvements focused on network security, dashboard redesign, console stability, user experience, and automation improvements.
Network Configuration & Reverse Proxy Support
A major infrastructure update focused on improving deployment flexibility and security.
Added
- Configurable web server host and port in
config.yml - New
allow-externaloption for controlling external access - Support for localhost-only mode (
127.0.0.1) for secure reverse proxy setups - Reverse proxy IP detection via
X-Forwarded-For
Improved
- Better compatibility with reverse proxies such as Nginx and Cloudflare Tunnel
- Graceful handling for
BindExceptionwhen port is already in use - Graceful handling for invalid hostname (
UnknownHostException) - Automatic web server shutdown on plugin reload
Complete Dashboard Redesign
The dashboard has been fully redesigned for a cleaner and more professional server management experience.
New Dashboard Layout
-
New banner card with server MOTD and Minecraft version
-
Added quick action SVG buttons
-
4 new system monitoring cards:
- Online Players
- TPS Monitor
- RAM Usage (with progress bar)
- CPU Usage (real system CPU percentage)
Layout Improvements
-
New 40/60 split dashboard layout
-
System Information section:
- Operating System
- Server Uptime
-
Live Console Preview integrated directly into dashboard
Page Restructure
- Removed player list from dashboard
- Added dedicated Players Management page
Sidebar Navigation Improvements
Sidebar is now organized into logical sections for better navigation.
New Structure
Main
- Dashboard
- Console
Administration
- Players
- Whitelist
- Bans
Management
- Users
UI Improvements
-
Added section titles
-
New semantic action button colors:
- Save
- Reload
- Stop
Performance Monitoring Improvements
Added
-
Real CPU monitoring using Java reflection (
com.sun.management) -
CPU status indicator with dynamic color coding:
- Green → Healthy
- Amber → Medium load
- Red → High load
Console Stability Improvements
Fixed console log reading issues on different server environments.
Fixed
- Console now properly reads server logs using correct server root path
- Better fallback handling when console output is empty
New /webadmin reload Command
Added plugin hot reload support.
Added
/webadmin reload
This command now:
- Stops current web server safely
- Reloads configuration
- Reinitializes plugin automatically
Custom Confirm Modal System
Browser native alerts and confirm dialogs have been completely replaced.
New Modal Features
- Custom confirmation modal system
- Better UI consistency across all actions
- Dedicated danger confirmation button styling
Protected Actions
Added confirmation modal for:
- Kick Player
- Ban Player
- Stop Server
- Reload Server
- Unban Player
- Remove Whitelist Entry
- Remove User
New Reason Input
Kick and Ban actions now require reason input before confirmation.
Auto Refresh System
Several pages now refresh automatically for better real-time monitoring.
Added
- Players page refresh every 5 seconds
- Bans page refresh every 10 seconds
- Users page refresh every 30 seconds
Internal Improvements
- Improved page loading system
- Added failsafe protection for missing DOM elements
- Improved route hash navigation
- Better frontend state handling
Thank you to everyone testing MinePanel and providing valuable feedback.
More improvements coming soon 🚀
Security & Style 1.0.1
Architecture Change
- Extracted UI from Java — All HTML/CSS/JS moved from embedded Java string (WebServer.java ~900 lines removed) to standalone files
Authentication System
- BCrypt — Passwords hashed with BCrypt instead of plaintext
- Session Tokens — UUID v4 generated per login, stored in server-side sessions map
- HttpOnly Cookie — Token transmitted via Set-Cookie: token=xxx; HttpOnly; Path=/; SameSite=Lax; Max-Age=300
- Session Expiry — 5 minutes inactivity timeout, auto-refreshes on each API call
- Backward compat — getToken(session) checks both Cookie header AND query param ?token=
- Logout — clears server session + deletes cookie
Login Flow
- Username + Password login (not single token)
- Default user: admin / admin123 auto-created on first run
- mustChange flag — If password is still admin123, forces password change modal
- Heartbeat API — Global 2-minute interval keeps session alive; 401 → auto-logout
- Button loading state — "Signing in…" with disabled button during login request
Theme System
- Light/Dark toggle — Button in sidebar (bottom, before Logout)
- CSS Variables — 30+ CSS custom properties, overridden in body.dark
- Dark theme: #12121f background, #1c1c33 cards, #c0c0d0 text
- color-scheme: dark on dark mode (native scrollbar/input)
- localStorage persists theme preference
- Auto-applies on page load from saved preference
Fixed Sidebar
- position: fixed — Sidebar no longer scrolls with page content
- left: 0; top: 0; bottom: 0; z-index: 50
- Content area uses padding-left: 240px
- Mobile: padding-top: 60px + sidebar becomes top bar
### MinePanel v1.0.1
Major Architecture Update
- Extracted all UI files from embedded Java strings
- Moved HTML, CSS, and JavaScript into standalone resource files
- Removed around 900 lines from
WebServer.java - Improved maintainability and frontend development workflow
Security & Authentication
- Added username/password login
- Added BCrypt password hashing
- Added UUID v4 session tokens
- Added HttpOnly cookie-based sessions
- Added 5-minute inactivity timeout
- Added forced password change for the default admin account
- Added logout session cleanup
UI Improvements
- Added Light/Dark theme toggle
- Added persistent theme preference
- Added fixed sidebar layout
- Improved mobile layout
- Added login loading state
Compatibility
- Token lookup now supports both cookie-based sessions and
?token=query parameter for backward compatibility