Using the wrong Permission and Channel settings in an application can lead to unexpected behavior, security holes, scaling problems, performance issues, and crashes. It is essential to review these settings before deploying an application in a production environment. This section will help you make sure these application settings are configured optimally.
In the Stream dashboard, under the settings for your application, be sure to make sure Permission Checks are not disabled. The Stream API is built with a complex yet flexible permission system that checks if a user has permission to perform all actions based on their user role (e.g. channel member vs. moderator). Disabling this permission layer opens your application to vulnerabilities, such as a user modifying another user's messages. While disabling the permissions can be helpful in development envirmonents when debugging an application, permissions should never be disabled on a production application.
Within each channel type, some settings are available that apply to all channels of that type. Among these settings are the ability to enable/disable each event type. When disabled, events of that type (for channels of this type) will not be passed through to a client's open WebSocket connection. It's also important to note that increasing the events enabled on a channel type also increases the load on clients in those channels.
For Livestream type channels, we recommend disabling Connect, Read Events, and Typing Events. These will cause performance issues and don't generally add to the user experience in these use cases.
Also consider using [Slow Mode] (https://getstream.io/chat/docs/slow_mode/?language=js#channel-slow-mode) for Livestream events.