docs: add SECURITY.md

This commit is contained in:
qaz741wsd856 2026-01-08 08:48:22 +00:00
parent 663f2b59d2
commit 85d2922332

55
SECURITY.md Normal file
View file

@ -0,0 +1,55 @@
# Security Policy
Warden is a self-hosted, Bitwarden-compatible backend for Cloudflare Workers. We take security seriously, but please note this project has not been formally security-audited.
## Reporting a Vulnerability
**Preferred:** Use GitHubs private vulnerability reporting (Security tab → “Report a vulnerability”).
**Do not** open a public issue with exploit details.
When reporting, include:
- A clear description of the issue and impact.
- Steps to reproduce (ideally on your own deployment).
- Affected endpoint(s)/file(s) and any relevant configuration (e.g., `wrangler.toml` ratelimit bindings, Durable Objects offload, R2 attachments).
- Version/commit SHA and your deployment environment (Workers plan, Wrangler version if relevant).
## Disclosure Guidelines
- Please give us a reasonable amount of time to investigate and address the issue before public disclosure.
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
- Do not perform denial-of-service testing against the demo instance.
## Supported Versions
Security fixes are provided on a best-effort basis for the latest release and the `main` branch. Older versions may not receive security patches.
## In Scope
- Backend implementation in `src/` (auth, crypto, handlers, database access).
- Worker entrypoint and edge concerns in `src/entry.js` (routing, attachment streaming, Durable Objects offload).
- Wrangler configuration in `wrangler.toml` (bindings, rate limiting, routes).
- Database schema and migrations (`sql/`, `migrations/`).
- Deployment tooling and scripts (`docs/`, `scripts/`, GitHub Actions workflows).
- UI overrides shipped by this repo (e.g., `public/css/`).
## Out of Scope / Exclusions
- Issues in upstream Bitwarden clients (mobile/desktop/browser extensions).
- Issues in the bundled upstream Web Vault build (`bw_web_builds`) that are not caused by this repositorys overrides.
- Vulnerabilities in the Cloudflare platform itself (Workers/D1/R2/DO); please report those to Cloudflare.
- Vulnerabilities in unmaintained/outdated deployments.
- Attacks requiring physical access to a users device.
- Social engineering, spam, and denial-of-service attempts.
## Deployment Hardening (Operators)
This project is "self-hosted": **your Cloudflare account is part of your security boundary**. Review the deployment docs and consider the following:
- Set strong secrets: `JWT_SECRET` and `JWT_REFRESH_SECRET` (>32 characters, random, unique per environment).
- Restrict who can register/log in (e.g., `ALLOWED_EMAILS`), and consider disabling open registration.
- Ensure rate limiting is configured (see `wrangler.toml` `[[ratelimits]]` bindings); missing bindings degrade gracefully and may reduce protection.
- Treat Cloudflare API tokens as highly sensitive; grant least privilege and rotate when needed.
- Protect backups and exports (D1 backups, logs) as they may contain sensitive metadata.