Warden is a self-hosted, Bitwarden-compatible backend for Cloudflare Workers. We take security seriously, but please note this project has not been formally security-audited.

Preferred: Use GitHub’s private vulnerability reporting (Security tab → “Report a vulnerability”).

Do not open a public issue with exploit details.

When reporting, include:

• A clear description of the issue and impact.
• Steps to reproduce (ideally on your own deployment).
• Affected endpoint(s)/file(s) and any relevant configuration (e.g., wrangler.toml ratelimit bindings, Durable Objects offload, R2 attachments).
• Version/commit SHA and your deployment environment (Workers plan, Wrangler version if relevant).

• Please give us a reasonable amount of time to investigate and address the issue before public disclosure.
• Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
• Do not perform denial-of-service testing against the demo instance.

Security fixes are provided on a best-effort basis for the latest release and the main branch. Older versions may not receive security patches.

• Backend implementation in src/ (auth, crypto, handlers, database access).
• Worker entrypoint and edge concerns in src/entry.js (routing, attachment streaming, Durable Objects offload).
• Wrangler configuration in wrangler.toml (bindings, rate limiting, routes).
• Database schema and migrations (sql/, migrations/).
• Deployment tooling and scripts (docs/, scripts/, GitHub Actions workflows).
• UI overrides shipped by this repo (e.g., public/css/).

• Issues in upstream Bitwarden clients (mobile/desktop/browser extensions).
• Issues in the bundled upstream Web Vault build (bw_web_builds) that are not caused by this repository’s overrides.
• Vulnerabilities in the Cloudflare platform itself (Workers/D1/R2/DO); please report those to Cloudflare.
• Vulnerabilities in unmaintained/outdated deployments.
• Attacks requiring physical access to a user’s device.
• Social engineering, spam, and denial-of-service attempts.

This project is "self-hosted": your Cloudflare account is part of your security boundary. Review the deployment docs and consider the following:

• Set strong secrets: JWT_SECRET and JWT_REFRESH_SECRET (>32 characters, random, unique per environment).
• Restrict who can register/log in (e.g., ALLOWED_EMAILS), and consider disabling open registration.
• Ensure rate limiting is configured (see wrangler.toml [[ratelimits]] bindings); missing bindings degrade gracefully and may reduce protection.
• Treat Cloudflare API tokens as highly sensitive; grant least privilege and rotate when needed.
• Protect backups and exports (D1 backups, logs) as they may contain sensitive metadata.