From 6fb2f61792980eb52a4ce72700ad471e0fd64743 Mon Sep 17 00:00:00 2001 From: rwjack <59068073+rwjack@users.noreply.github.com> Date: Sun, 9 Jun 2024 12:15:43 +0200 Subject: [PATCH] Clarify access_token in proxy access logs: https://github.com/dani-garcia/vaultwarden/discussions/4631 --- Hardening-Guide.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Hardening-Guide.md b/Hardening-Guide.md index 8b03cee..a9d8aea 100644 --- a/Hardening-Guide.md +++ b/Hardening-Guide.md @@ -29,6 +29,20 @@ For example, Rocket TLS doesn't support [strict SNI](#Strict-SNI) or ECC certs ( See [[Proxy example|Proxy-examples]] for some sample reverse proxy configurations. +### Access logs contain `access_token` parameter + +A WSS connection is established for notifications by invoking a GET request with a JWT key. + +Example GET request: + +``` +/notifications/hub?access_token=[this part is always the same].eyJuYmYi[redacted]sImV4cCI6MTcxNzc1NzQ1OCwiaXN[redacted]M6Ly92YXVsdC5zZWMuYXJwYXxsb2dpbiIsInN1YiI6ImY5YmVhN[redacted]tNGJjNS05MDY2LTQ3NjFlZmY4ND[redacted]sInByZW1pdW0iOnRydWU[redacted]JjaXBoZXIiLCJlbWFpbCI6ImNpc[redacted]ljdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJzc3RhbXAiOiJlZjM3[redacted]MjctODE2OS1hZTQ3NmFjNDc4MGQiLCJkZX[redacted]02ZTk3LTQ2N2M[redacted]jM3NmEiLCJzY29wZSI6WyJhcG[redacted]5lX2FjY2VzcyJdLCJhbXIiOlsiQXBwbGljY[redacted]hGDeCNdjTs1cOL2fV_OR96Sey-gA5eRa8OCGNgCrDeyYAPyk[redacted]BkQGwjEhD7fcWILxRYqQ7W6rkC2o[redacted]LB_nztpAgeRUbsPgsd3RNTWJDKdlH8aMf1[redacted]vB_doENJPeyaeMuEG85KqpAN2A[redacted]GeeCztxmQIe21PMtBG-SAgGeI[redacted]X_9mmyv0nISHBuHjhQ_km[redacted]VCLoFneb-MEzN[redacted]T8VcXSKhGXpwJUx8j1[redacted]k_nH27vrD2Dg +``` + +If your reverse proxy is configured to save access logs, or the access logs are shipped to an external service such as Prometheus + Promtail, it is recommended to redact the value of the `access_token` parameter on the external log store, or directly on your reverse proxy of choice, if supported. + +No other data is ever send via GET request, encrypted or unencrypted. + # Docker configuration The subsections below cover hardening related to Docker.