Add SECURITY.MD documentation

[zbjdonald]

No description provided.

[routerino]

Bearer token is saved to browser cache, which is about as much auth as you can have without a backend to facilitate it.

[zbjdonald]

Thank you. For example, vpn.xxxx.com is login url, vpn.xxxx.com/web can manage all tailscale client. I think vpn.xxxx.com/web need a login page, otherwise people who can visit vpn.xxxx.com also can manage all tailscale client.

[routerino]

Try saving your API key and then opening an incognito window or a browser on another profile.

[zbjdonald]

work as expected

[joshuataylor]

If you want to stop random access to this page, you have a few options depending on what you use.

nginx: Use basic auth (easiest), or oauth through https://github.com/oauth2-proxy/oauth2-proxy

Caddy: Use basic auth, maybe https://github.com/greenpau/caddy-security/blob/main/README.md (Personally haven't tested this for Caddy).

[routerino]

If you want to stop random access to this page, you have a few options depending on what you use.

nginx: Use basic auth (easiest), or oauth through https://github.com/oauth2-proxy/oauth2-proxy

Caddy: Use basic auth, maybe https://github.com/greenpau/caddy-security/blob/main/README.md (Personally haven't tested this for Caddy).

Mostly it should be irrelevant, as anything sensitive is saved to the local browser cache.

It's not ideal as if there's a security issue with the client code, it can cause leaks of sensitive data. However, this is mitigated by the fact that client code is effectively signed by the hash signature of the compiled code.

This isn't ideal and should be better served by a client-server model, but that is functionally impossible with a pure client side solution such as headscale-ui. This is a problem that needs to be solved via integration with headscale.

[joshuataylor]

yeah, i really don't see the point, unless you really don't want someone or a random bot to find it, but what are they going to do? 🤷