Skip to content

[Vaultwarden] Hint at problems with default Web Security Headers #1902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[Vaultwarden] Hint at problems with default Web Security Headers #1902

wants to merge 1 commit into from

Conversation

@JayBraker
Copy link

The guide should be amended by a hint towards uberspaces default Web Security Headers which might interfere with 2-step login and or notifications.

Refer to https://github.com/dani-garcia/vaultwarden/blob/8d1df08/src/util.rs lines 38 and 73

Also see #1901

@JayBraker
[Vaultwarden] Hint at problems with default Web Security Headers
5dce4c7 
The guide should be amended by a hint towards uberspaces default Web Security Headers which might interfere with 2-step login and or notifications.

Refer to https://github.com/dani-garcia/vaultwarden/blob/8d1df08/src/util.rs lines 38 and 73
@JayBraker
Copy link
Author

I am not too experienced writing documentation, this is just what I would have needed in the guide

nichtmax
nichtmax requested changes Jun 10, 2025
View reviewed changes
Copy link
Member

@nichtmax nichtmax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! It would be useful to have specific instructions for this case.

source/guide_vaultwarden.rst

.. note::
The default nginx config defines `X-Frame-Options: SAMEORIGIN` for all web backends. This may cause compatibility issues with the 2-step login feature and desktop/mobile clients as well as notifications on websockets.
If you encounter these issues, you may want to consider suppressing that header for relevant paths i. e. /*connector.html, /notifications/hub, /notifications/anonymous-hub, refer to the :manual:`web-security-headers manual<web-security-headers>`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice if you told how exactly to suppress these headers in this case.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JayBraker any updates on this? If not, we'll close this PR soon.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank your for the reminder.
I amended my proposal for a snippet/codeblock and rephrased the note to make a little more sense in combination with the snippet.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

um.. did you? 😅 I can't find any additional commit. Could you please check?

@nichtmax nichtmax marked this pull request as draft June 10, 2025 12:29
@JayBraker JayBraker marked this pull request as ready for review August 10, 2025 00:57
@nichtmax nichtmax marked this pull request as draft October 21, 2025 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nichtmax nichtmax nichtmax requested changes

@SalocinHB SalocinHB SalocinHB left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JayBraker @nichtmax @SalocinHB