taskwarrior-web icon indicating copy to clipboard operation
taskwarrior-web copied to clipboard

Published 20 hours ago verified publisher icon theunraveler

What are the steps I have to follow to secure taskwarrior web when I host it on a vps for personal use?

Open anilv4 opened this issue 6 years ago • 4 comments

What are the steps I have to follow to secure taskwarrior web when I host it on a VPS for personal use?

Thanks, Anil

anilv4 avatar Nov 03 '17 06:11 anilv4

Per the README:

task-web is mostly designed to run locally. As such, security is not of the highest priority. You may find that things such as CSRF protection are lacking. If things like this are important to you, please file an issue or a pull request.

As things stand today, it's not recommended to run task-web Internet-facing. If you want to run it on a VPS, your best route is to block most incoming traffic to your VPS and connect to it from your client machine using VPN or an SSH tunnel.

cilynx avatar Apr 18 '18 15:04 cilynx

I'm using http basic auth for that purpose. Brute-force attacks could be handled with something like fail2ban. The only thing I would like to add to my setup is SSL to secure credentials.

Zebradil avatar Apr 19 '18 22:04 Zebradil

Along the same lines, I want to host this behind nginx, is there a way to force it to only only be served on localhost? I can block public traffic on on 5678 but I'd rather it not be served at all.

eamonne avatar Jun 03 '18 01:06 eamonne

Try to run it with --host argument:

$ task-web --host 127.0.0.1

Zebradil avatar Jun 03 '18 09:06 Zebradil