It’s a security thing. The HttpOnly cookie can’t be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.

Where my Java/Kotlin frameworks at?

And then there is the “clipboard” (copy paste function) in the nano text editor being a third

In the end, I decided that if I’m gonna buy new RAM for this server, I might as well take the opportunity and upgrade the motherboard and CPU as well.

I went with an i3-13100 (with IGPU) on a Asrock B760M-ITX/D4 motherboard. I also added an m2 SSD and 32GB of RAM forugood measure.

I agree for serious/business applications. In my case, it’s a home server that I and some close friends and family access. But it is indeed exposed (basically, my router routes port 80 and 443 to the server within the NAT).

To discuss the header-based firewall: the host is used by Traefik to determine which docker container to route (reverse proxy) the traffic to. So I don’t see any obvious ways an attacker can really manipulate that to reach (in my case) the bitwarden instance. My main attack angle this protects if is there is some vulnerability in Bitwarden and bots are going around exploiting that. That way at least Traefik would already block them before they get to bitwarden.

But yes another service with a vulnerability could be exploited, then escape that docker container and you’re in the whole server.

Something to keep in mind here. I am also using an IP white-list, but only on some services Traefik hosts.

So for example bitwarden is behind an IP white-list, but subsonic is reachable from any IP.

I think in that case it’s not really possible (or doable) to write L2 firewall routes.

But if you want all traffic to port 80 on your server to be IP whitelisted, then a regular firewall would be good.

Then the next question is, when was it last updated?

Very cool! How often is this updated?