docs: add SECURITY.md
This commit is contained in:
parent
663f2b59d2
commit
85d2922332
1 changed files with 55 additions and 0 deletions
55
SECURITY.md
Normal file
55
SECURITY.md
Normal file
|
|
@ -0,0 +1,55 @@
|
||||||
|
# Security Policy
|
||||||
|
|
||||||
|
Warden is a self-hosted, Bitwarden-compatible backend for Cloudflare Workers. We take security seriously, but please note this project has not been formally security-audited.
|
||||||
|
|
||||||
|
## Reporting a Vulnerability
|
||||||
|
|
||||||
|
**Preferred:** Use GitHub’s private vulnerability reporting (Security tab → “Report a vulnerability”).
|
||||||
|
|
||||||
|
**Do not** open a public issue with exploit details.
|
||||||
|
|
||||||
|
When reporting, include:
|
||||||
|
|
||||||
|
- A clear description of the issue and impact.
|
||||||
|
- Steps to reproduce (ideally on your own deployment).
|
||||||
|
- Affected endpoint(s)/file(s) and any relevant configuration (e.g., `wrangler.toml` ratelimit bindings, Durable Objects offload, R2 attachments).
|
||||||
|
- Version/commit SHA and your deployment environment (Workers plan, Wrangler version if relevant).
|
||||||
|
|
||||||
|
## Disclosure Guidelines
|
||||||
|
|
||||||
|
- Please give us a reasonable amount of time to investigate and address the issue before public disclosure.
|
||||||
|
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
|
||||||
|
- Do not perform denial-of-service testing against the demo instance.
|
||||||
|
|
||||||
|
## Supported Versions
|
||||||
|
|
||||||
|
Security fixes are provided on a best-effort basis for the latest release and the `main` branch. Older versions may not receive security patches.
|
||||||
|
|
||||||
|
## In Scope
|
||||||
|
|
||||||
|
- Backend implementation in `src/` (auth, crypto, handlers, database access).
|
||||||
|
- Worker entrypoint and edge concerns in `src/entry.js` (routing, attachment streaming, Durable Objects offload).
|
||||||
|
- Wrangler configuration in `wrangler.toml` (bindings, rate limiting, routes).
|
||||||
|
- Database schema and migrations (`sql/`, `migrations/`).
|
||||||
|
- Deployment tooling and scripts (`docs/`, `scripts/`, GitHub Actions workflows).
|
||||||
|
- UI overrides shipped by this repo (e.g., `public/css/`).
|
||||||
|
|
||||||
|
## Out of Scope / Exclusions
|
||||||
|
|
||||||
|
- Issues in upstream Bitwarden clients (mobile/desktop/browser extensions).
|
||||||
|
- Issues in the bundled upstream Web Vault build (`bw_web_builds`) that are not caused by this repository’s overrides.
|
||||||
|
- Vulnerabilities in the Cloudflare platform itself (Workers/D1/R2/DO); please report those to Cloudflare.
|
||||||
|
- Vulnerabilities in unmaintained/outdated deployments.
|
||||||
|
- Attacks requiring physical access to a user’s device.
|
||||||
|
- Social engineering, spam, and denial-of-service attempts.
|
||||||
|
|
||||||
|
## Deployment Hardening (Operators)
|
||||||
|
|
||||||
|
This project is "self-hosted": **your Cloudflare account is part of your security boundary**. Review the deployment docs and consider the following:
|
||||||
|
|
||||||
|
- Set strong secrets: `JWT_SECRET` and `JWT_REFRESH_SECRET` (>32 characters, random, unique per environment).
|
||||||
|
- Restrict who can register/log in (e.g., `ALLOWED_EMAILS`), and consider disabling open registration.
|
||||||
|
- Ensure rate limiting is configured (see `wrangler.toml` `[[ratelimits]]` bindings); missing bindings degrade gracefully and may reduce protection.
|
||||||
|
- Treat Cloudflare API tokens as highly sensitive; grant least privilege and rotate when needed.
|
||||||
|
- Protect backups and exports (D1 backups, logs) as they may contain sensitive metadata.
|
||||||
|
|
||||||
Loading…
Reference in a new issue