Testing Whether or Not Discord Actually Deletes Files

Discord is a text and voice communication platform marketed towards gamers. One main feature of their text platform is the ability to upload up to 8MB (50MB for paying users) files and embed them in messages. Each file has a publicly accessible permalink which allows sharing it outside of Discord. One common criticism that seems to be floating around is that Discord doesn’t delete your files if you delete the messages they are attached to. The proof for this is that if you delete a message containing a file and immediately try to access the permalink to it, the file still shows up, with the conclusion being Discord didn’t delete it as requested. I decided to test this to ultimately figure out what actually happens.

When you copy the permalink to a file in the Discord application, it is served from the domain cdn.discordapp.com. Like the rest of Discord’s infrastructure, requests to this domain are proxied through Cloudflare‘s platform. Cloudflare acts as Discord’s Content Delivery Network which they take heavy advantage of to greatly decrease the amount of data they have to serve. Cloudflare’s CDN saves them at least a whopping 2 petabytes of data every month.

Discord’s excuse for files continuing to get served after they have been deleted is due to an aggressive caching policy. This makes a lot of sense as Cloudflare allows you to customize how long they cache your service’s content, so Discord could have this set to a high value like a week.

While we could just leave it at that, I felt it was still worth testing just to make sure an aggressive caching policy is actually what is causing files to get continually served. Additionally, since files have to be uploaded with a message, this test could also indicate whether or not Discord properly deletes messages.

To start off, I created a brand new server in the Discord application and created three text channels to test three different events where files could get deleted.

And in each channel, I uploaded a different randomly generated bitmap image generated at RANDOM.ORG.

I then saved the permalink to each of the images:

I requested all three images, and the images all downloaded as expected.

I then got to the actual test where I deleted the images in three different ways. For the message in the delete-message channel, I deleted the message normally.

Next, for the delete-channel channel, I deleted the entire channel without touching the message inside it.

And for the final channel, delete-server, I deleted the entire server without touching the channel or the message inside it.

I then requested the images again and they still downloaded normally.

The difference here is that this is actually Cloudflare serving a cached copy of the file. We can see in the headers that Cloudflare tells us whether or not our request hit their cache.

While I could have just waited a while until one of those links expired in Cloudflare’s cache, I took a different approach. When Cloudflare caches content, it only does so at the datacenter it was requested from. Since I was the only one to have ever accessed the files, they should only be cached at the datacenter closest to me. I took advantage of this mechanic to see what the actual current state of the images were on Discord by requesting the same images from different regions.

The simplest way to do this is provide the links to a friend in a different region and ask what the links return. I ended up asking two different friends and they both said that these were the states of the images:

  • delete-message Channel Image – Returns a 403 forbidden error.
  • delete-channel Channel – Loads normally!
  • delete-server Channel – Loads normally!

This is a bit concerning as I expected all three to return some type of error. I ended up waiting just to see how long it would take for myself to get the same results, and sure enough within a week the delete-message channel image started returning the same 403 forbidden error. This means Discord probably has Cloudflare caching their service’s content for about a week.

The next mystery with this ends up being why this is a 403 forbidden error instead of 404 not found error. As it turns out, if you feed it any link, it returns the exact same error.

In conclusion, I think we can assume that Discord properly deletes files and messages when the user explicitly requests each of them are deleted. As for files and messages in deleted channels and servers, those may potentially stick around indefinitely. It’s been a week since the test to when this blog post was published and the images are still publicly accessible.

If anything changes, I will update this blog post, but until then it’s probably best for those who want to delete their files and messages to do so one message at a time instead of deleting entire channels or guilds.

Leave a Reply