mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 07:50:02 +02:00 
			
		
		
		
	Disable show_password_hint by default
				
					
				
			A setting that provides unauthenticated access to potentially sensitive data shouldn't be enabled by default.
This commit is contained in:
		| @@ -210,8 +210,10 @@ | ||||
| ## The change only applies when the password is changed | ||||
| # PASSWORD_ITERATIONS=100000 | ||||
|  | ||||
| ## Whether password hint should be sent into the error response when the client request it | ||||
| # SHOW_PASSWORD_HINT=true | ||||
| ## Controls whether a password hint should be shown directly in the web page if | ||||
| ## SMTP service is not configured. Not recommended for publicly-accessible instances | ||||
| ## as this provides unauthenticated access to potentially sensitive data. | ||||
| # SHOW_PASSWORD_HINT=false | ||||
|  | ||||
| ## Domain settings | ||||
| ## The domain must match the address from where you access the server | ||||
|   | ||||
| @@ -388,9 +388,10 @@ make_config! { | ||||
|         /// Password iterations |> Number of server-side passwords hashing iterations. | ||||
|         /// The changes only apply when a user changes their password. Not recommended to lower the value | ||||
|         password_iterations:    i32,    true,   def,    100_000; | ||||
|         /// Show password hints |> Controls if the password hint should be shown directly in the web page. | ||||
|         /// Otherwise, if email is disabled, there is no way to see the password hint | ||||
|         show_password_hint:     bool,   true,   def,    true; | ||||
|         /// Show password hint |> Controls whether a password hint should be shown directly in the web page | ||||
|         /// if SMTP service is not configured. Not recommended for publicly-accessible instances as this | ||||
|         /// provides unauthenticated access to potentially sensitive data. | ||||
|         show_password_hint:     bool,   true,   def,    false; | ||||
|  | ||||
|         /// Admin page token |> The token used to authenticate in this very same page. Changing it here won't deauthorize the current session | ||||
|         admin_token:            Pass,   true,   option; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user