Can the Vaultwarden api/config Endpoint be Hidden？

[AlisterTT]

Hello everyone,

I'm currently using Vaultwarden and have noticed that the api/config endpoint is accessible by default. I have some concerns regarding the security and potential methods to restrict access to this endpoint and would appreciate any insights from the community.

My main question is regarding the security implications of this endpoint being publicly accessible. Does exposing this endpoint pose any security risks, considering it reveals configuration details like software version, server name, and URL?

Additionally, I'm curious if it's possible to hide or restrict access to this endpoint, specifically using Nginx.

Thanks in advance for your time and assistance!

[jduardo2704]

Try add the following location directive to your NGINX configuration:

location ^~ /api/config {
    return 403;
}

[BlackDex]

That will break the clients, so no, that is not possible.

[BlackDex]

Short answer, no.

Longer answer: That file is needed by the clients, including the web-vault to determine features available.
Without access to this file the clients will probably not work as expected.

Also, it can't be behind a login or something similar, since the clients request that file before you even did a login at all.
You could try to check for some headers and block/allow it based upon that, but be aware that it might break clients.

[BlackDex]

In regards to the security concerns.

• The URL is already known, else someone wasn't able to access that file in the first place
• Hiding the version is probably also useless, since someone could check the Javascript/CSS files served and compare them and figure it out.
• The feature flags are not really a security hole i think, it would only show if there are feature flags enabled or not.

[jduardo2704]

Thank you for the clarification; I truly appreciate the time taken to explain this. I will keep this in mind.