starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-10 01:10:09 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Add HTTP response headers for increased security #2402

New Issue
Closed
opened 2025-10-09 18:03:59 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2025-10-09 18:03:59 +03:00
Owner
Copy Link

Originally created by @DrMurx on GitHub.

The web vault already contains a exhaustive CSP as meta tag, but there are some more headers which should be set to protect API and vault:

  1. Referrer-Policy=same-origin to avoid leaking the web vault's address to 3rd parties, see MDN: Referrer-Policy
  2. X-Frame-Options=SAMEORIGIN to prevent embedding of the web vault into malicious 3rd party sites ("clickjacking"), see MDN: X-Frame-Options
  3. X-Content-Type-Options=nosniff to prevent some browser's content based mime type detection, see MDN: X-Content-Type-Options
  4. X-XSS-Protection=1; mode=block for inline-JS protection in some pre-CSP compatible browsers, see MDN: X-XSS-Protection

I'm currently setting those headers in a web facing nginx proxy, but it can't hurt to already amend the responses from the rust server properly.

Originally created by @DrMurx on GitHub. The web vault already contains a exhaustive CSP as meta tag, but there are some more headers which should be set to protect API and vault: 1) `Referrer-Policy=same-origin` to avoid leaking the web vault's address to 3rd parties, see [MDN: Referrer-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) 2) `X-Frame-Options=SAMEORIGIN` to prevent embedding of the web vault into malicious 3rd party sites ("clickjacking"), see [MDN: X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) 3) `X-Content-Type-Options=nosniff` to prevent some browser's content based mime type detection, see [MDN: X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) 4) `X-XSS-Protection=1; mode=block` for inline-JS protection in some pre-CSP compatible browsers, see [MDN: X-XSS-Protection](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection) I'm currently setting those headers in a web facing nginx proxy, but it can't hurt to already amend the responses from the rust server properly.
OVERLORD commented 2025-10-09 18:04:02 +03:00
Author
Owner
Copy Link

@DrMurx commented on GitHub:

Geez... you are amazingly fast. 👍

@DrMurx commented on GitHub: Geez... you are amazingly fast. 👍
OVERLORD commented 2025-10-09 18:04:02 +03:00
Author
Owner
Copy Link

@j0sh3rs commented on GitHub:

@szaimen Hopefully you found it, but the link in the MR for what CSP is for web vault can be found here: 89edcb05e9 (diff-fc0ffe90dc2cecb965fb03351a63ea876ad27447adea2bee9a6c84084910c988R36)

@j0sh3rs commented on GitHub: @szaimen Hopefully you found it, but the link in the MR for what CSP is for web vault can be found here: https://github.com/thelittlefireman/bitwarden_rs/commit/89edcb05e9f67a1e13de25e6a07f4366f50a6f90#diff-fc0ffe90dc2cecb965fb03351a63ea876ad27447adea2bee9a6c84084910c988R36
OVERLORD commented 2025-10-09 18:04:02 +03:00
Author
Owner
Copy Link

@szaimen commented on GitHub:

The web vault already contains a exhaustive CSP as meta tag

Hi, sry for bringing this up again, but do you have a pointer in the code where CSP is set for the web vault?
I am running bitwarden_rs on a reverse proxy and observatory.mozilla.com complains about a missing CSP header, so I am looking for working CSP headers. Thanks!

@szaimen commented on GitHub: > The web vault already contains a exhaustive CSP as meta tag Hi, sry for bringing this up again, but do you have a pointer in the code where CSP is set for the web vault? I am running bitwarden_rs on a reverse proxy and observatory.mozilla.com complains about a missing CSP header, so I am looking for working CSP headers. Thanks!
OVERLORD commented 2025-10-09 18:04:03 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

This should be fixed now, thanks!

@dani-garcia commented on GitHub: This should be fixed now, thanks!
OVERLORD commented 2025-10-09 18:04:03 +03:00
Author
Owner
Copy Link

@dheimerl commented on GitHub:

I found an issue with this. When using U2F, you aren't prompted to insert your U2F key with the Chrome browser extension (haven't tested any other browsers), so you aren't able to login using that two-factor option. This error appears in the console:
Refused to display 'https://example.com/u2f-connector.html?data=eyJhcHBJZCI6Imh0dHBzOi8vYncudW5pdGVsaW5jLmNvbTo2NDQzL2FwcC1pZC5qc29uIiwiY2hhbGxlbmdlIjoiWkROa2VrVkpkVXhVUVhOa1lURlNZVVExUlhZNGNXbEZUMVJWUmpKbWNIbzBRVTV3TmpWbGRrNW5WVDA9Iiwia2V5cyI6W3sidmVyc2lvbiI6IlUyRl9WMiIsImtleUhhbmRsZSI6IkFUcm1sYjJha1FJTE16VmRZNFozZWxnVzA2amgtcGlxcFJTYWxibGZVRnFuVWN1dGFvUHZROGV6XzVQcDEzNmF3MGozc0pkSDdLVW5DelFiQW4wdmZ0NUtXWksyaWlONVpGZ3dZQlcwdVV5Z1MtTElYNFUzY3F6a194QVI2R2RqIn1dfQ==&parent=chrome-extension%3A%2F%2Fnngceckbapebfimnlniiiahkandclblb%2Fpopup%2Findex.html%23%2F2fa&v=1' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

I made this change to src/api/web.rs right below the X-Frame-Options header:
res.set_raw_header("Content-Security-Policy", "frame-ancestors chrome-extension://*");

This only fixes the issue for Chrome, so I'm not sure if there is a better way to handle this. Using CSP frame-ancestors overrides the X-Frame-Options header on Chrome. I tested and the Chrome extension works properly with U2F after putting in this header.

@dheimerl commented on GitHub: I found an issue with this. When using U2F, you aren't prompted to insert your U2F key with the Chrome browser extension (haven't tested any other browsers), so you aren't able to login using that two-factor option. This error appears in the console: `Refused to display 'https://example.com/u2f-connector.html?data=eyJhcHBJZCI6Imh0dHBzOi8vYncudW5pdGVsaW5jLmNvbTo2NDQzL2FwcC1pZC5qc29uIiwiY2hhbGxlbmdlIjoiWkROa2VrVkpkVXhVUVhOa1lURlNZVVExUlhZNGNXbEZUMVJWUmpKbWNIbzBRVTV3TmpWbGRrNW5WVDA9Iiwia2V5cyI6W3sidmVyc2lvbiI6IlUyRl9WMiIsImtleUhhbmRsZSI6IkFUcm1sYjJha1FJTE16VmRZNFozZWxnVzA2amgtcGlxcFJTYWxibGZVRnFuVWN1dGFvUHZROGV6XzVQcDEzNmF3MGozc0pkSDdLVW5DelFiQW4wdmZ0NUtXWksyaWlONVpGZ3dZQlcwdVV5Z1MtTElYNFUzY3F6a194QVI2R2RqIn1dfQ==&parent=chrome-extension%3A%2F%2Fnngceckbapebfimnlniiiahkandclblb%2Fpopup%2Findex.html%23%2F2fa&v=1' in a frame because it set 'X-Frame-Options' to 'sameorigin'.` I made this change to src/api/web.rs right below the X-Frame-Options header: `res.set_raw_header("Content-Security-Policy", "frame-ancestors chrome-extension://*");` This only fixes the issue for Chrome, so I'm not sure if there is a better way to handle this. Using CSP frame-ancestors overrides the X-Frame-Options header on Chrome. I tested and the Chrome extension works properly with U2F after putting in this header.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2402
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?