55 lines
2.9 KiB
Markdown
55 lines
2.9 KiB
Markdown
# Security Policy
|
||
|
||
Warden is a self-hosted, Bitwarden-compatible backend for Cloudflare Workers. We take security seriously, but please note this project has not been formally security-audited.
|
||
|
||
## Reporting a Vulnerability
|
||
|
||
**Preferred:** Use GitHub’s private vulnerability reporting (Security tab → “Report a vulnerability”).
|
||
|
||
**Do not** open a public issue with exploit details.
|
||
|
||
When reporting, include:
|
||
|
||
- A clear description of the issue and impact.
|
||
- Steps to reproduce (ideally on your own deployment).
|
||
- Affected endpoint(s)/file(s) and any relevant configuration (e.g., `wrangler.toml` ratelimit bindings, Durable Objects offload, R2 attachments).
|
||
- Version/commit SHA and your deployment environment (Workers plan, Wrangler version if relevant).
|
||
|
||
## Disclosure Guidelines
|
||
|
||
- Please give us a reasonable amount of time to investigate and address the issue before public disclosure.
|
||
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
|
||
- Do not perform denial-of-service testing against the demo instance.
|
||
|
||
## Supported Versions
|
||
|
||
Security fixes are provided on a best-effort basis for the latest release and the `main` branch. Older versions may not receive security patches.
|
||
|
||
## In Scope
|
||
|
||
- Backend implementation in `src/` (auth, crypto, handlers, database access).
|
||
- Worker entrypoint and edge concerns in `src/entry.js` (routing, attachment streaming, Durable Objects offload).
|
||
- Wrangler configuration in `wrangler.toml` (bindings, rate limiting, routes).
|
||
- Database schema and migrations (`sql/`, `migrations/`).
|
||
- Deployment tooling and scripts (`docs/`, `scripts/`, GitHub Actions workflows).
|
||
- UI overrides shipped by this repo (e.g., `public/css/`).
|
||
|
||
## Out of Scope / Exclusions
|
||
|
||
- Issues in upstream Bitwarden clients (mobile/desktop/browser extensions).
|
||
- Issues in the bundled upstream Web Vault build (`bw_web_builds`) that are not caused by this repository’s overrides.
|
||
- Vulnerabilities in the Cloudflare platform itself (Workers/D1/R2/DO); please report those to Cloudflare.
|
||
- Vulnerabilities in unmaintained/outdated deployments.
|
||
- Attacks requiring physical access to a user’s device.
|
||
- Social engineering, spam, and denial-of-service attempts.
|
||
|
||
## Deployment Hardening (Operators)
|
||
|
||
This project is "self-hosted": **your Cloudflare account is part of your security boundary**. Review the deployment docs and consider the following:
|
||
|
||
- Set strong secrets: `JWT_SECRET` and `JWT_REFRESH_SECRET` (>32 characters, random, unique per environment).
|
||
- Restrict who can register/log in (e.g., `ALLOWED_EMAILS`), and consider disabling open registration.
|
||
- Ensure rate limiting is configured (see `wrangler.toml` `[[ratelimits]]` bindings); missing bindings degrade gracefully and may reduce protection.
|
||
- Treat Cloudflare API tokens as highly sensitive; grant least privilege and rotate when needed.
|
||
- Protect backups and exports (D1 backups, logs) as they may contain sensitive metadata.
|
||
|