Device Allowlist and Access Control
Syncthing's decentralized design means any device that knows your Device ID can attempt to connect. Access control is how you restrict which devices actually gain access and what they can touch.
Implement a strict allowlist model: only explicitly added devices can connect, and each device only has access to the specific folders you share with it.
| Mechanism | Default | Hardened |
|---|---|---|
| Unknown device connections | Notification only | Blocked until manually approved |
| Auto-accept new devices | Off | Off (keep off in production) |
| Folder share scope | Per-device, manual | Explicit — never share all folders |
| Device introduction | Off | Off in production |
| Max send/receive rate | Unlimited | Throttle on shared hosts |
The Allowlist Model
flowchart TD
A[Remote Device attempts connection] --> B{Device ID in config.xml?}
B -- No --> C[Connection refused — no data exchanged]
B -- Yes --> D{Shared folders match?}
D -- No match --> E[Connected but no folders synced]
D -- Match --> F[Sync proceeds with TLS encryption]
Syncthing never syncs data with an unknown device — it simply refuses the connection. However, an unknown device can appear in the GUI as a pending device notification. You must explicitly add it.
Reviewing and Removing Devices
# List all configured device IDs from config
grep -A5 '<device ' ~/.local/share/syncthing/config.xml | grep -E 'id=|<name>'
# Remove a device: edit config.xml directly (while Syncthing is stopped)
systemctl --user stop syncthing
nano ~/.local/share/syncthing/config.xml
# Delete the <device ...>...</device> block for the stale peer
systemctl --user start syncthing
Removing a device from config does not delete its synced files. Files remain on disk. If you want to revoke access and clean up, also remove the shared folder on that peer and delete the local copy if needed.
Disabling Auto-Accept (Hardening)
In config.xml, ensure defaultFolderPath auto-accept is not enabled:
<options>
<!-- Ensure this is false or absent -->
<autoAcceptFolders>false</autoAcceptFolders>
</options>
In the GUI: Actions → Settings → General → Accept incoming device introductions → Disable.
Per-Folder Sharing Control
Each folder must be explicitly shared with each device. Never share folders with devices that don't need them.
<folder id="docs-sync" path="/var/www/html/docs" type="sendreceive">
<!-- Only THIS device can access this folder -->
<device id="K3X2R..." introducedBy=""></device>
</folder>
In the GUI: Folder → Edit → Sharing tab → explicitly check only the devices that should sync this folder.
Rate Limiting Per Device
Prevent a single peer from saturating your network:
<device id="K3X2R..." name="office-laptop">
<maxSendKbps>5120</maxSendKbps> <!-- 5 MB/s upload to this peer -->
<maxRecvKbps>5120</maxRecvKbps> <!-- 5 MB/s download from this peer -->
</device>
Or globally via Actions → Settings → Connections → Rate limits.
Folder Permission Types
| Folder Type | Peer Can Send Changes | Peer Can Receive Changes | Use Case |
|---|---|---|---|
sendreceive | ✅ Yes | ✅ Yes | Standard bilateral sync |
sendonly | ✅ Yes | ❌ No | This device is the source of truth |
receiveonly | ❌ No | ✅ Yes | This device is a passive mirror |
receiveencrypted | ❌ No | ✅ Encrypted only | Untrusted backup node |
Security Checklist
| Check | Action |
|---|---|
| No unexpected pending devices | GUI → Devices — dismiss/ignore unknown entries |
| All devices explicitly added | grep '<device' config.xml — no unfamiliar IDs |
| Auto-accept disabled | grep autoAcceptFolders config.xml → false |
| Revocation tested | Remove a test peer and confirm it can no longer sync |
| Rate limits on high-volume peers | Set maxSendKbps / maxRecvKbps per device |
Common Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| Clicking "Add Suggested Device" blindly | Granting sync access to a wrong device | Always verify Device ID out-of-band before accepting |
| Sharing all folders with all devices | Data leak if a device is compromised | Use explicit per-folder sharing |
| Leaving stale devices after staff offboarding | Former employees can still sync | Audit and remove devices after any access change |