Security

This page is designed to explain the high-level concepts and security features at the core of Tauri’s design and ecosystem that make you, your applications and your users more secure by default.

It also includes advice on best practices, how to report vulnerabilities to us and references to detailed concept explanations.

Note

It is important to remember that the security of your Tauri application is the sum of the overall security of Tauri itself, all Rust and npm dependencies, your code, and the devices that run the final application. The Tauri team does its best to do their part, the security community does its part and you should also follow some important best practices.

Trust Boundaries

Tauri’s security model differentiates between Rust code written for the application’s core and frontend code written in any framework or language understood by the system WebView.

The IPC layer is the bridge for communication between these two trust groups and ensures that boundaries are not broken.

Any code executed by the plugins or the application core has full access to all available system resources and is not constrained.

Any code executed in the WebView only has access to system resources via the well-defined IPC layer. Access to core application commands is configured and restricted by capabilities defined in the application configuration. The individual command implementations enforce the optional fine-grained access levels also defined in the capabilities configuration.

Learn more about the individual components and boundary enforcement:

Permissions

Scopes

Capabilities

Runtime Authority

Tauri allows developers to choose their own frontend stack and framework. This means that we cannot provide a hardening guide for every frontend stack of of choice, but Tauri provides generic features to control and contain the attack surface.

Content Security Policy (CSP)

Isolation Pattern

Ecosystem

The Tauri organization provides and maintains more than just the Tauri repository and to ensure that our efforts to provide a reasonable secure multi platform application framework we need to go some extra miles.

To learn more about how we secure our development process, what you could adapt and implement, what known threats your application can face and what we plan to improve or harden in the future, you can check out the following documents:

Ecosystem Security

Application Lifecycle Threats

Best Practices

Future Work

Coordinated Disclosure

If you feel that there is a security concern or issue with anything in Tauri or other repositories in our organization, please do not publicly comment on your findings. Instead, reach out directly to our security team.

The preferred disclosure method is via Github Vulnerability Disclosure on the affected repository. Most of our repositories have this feature enabled but if in doubt please submit via the Tauri repository.

Alternatively you can contact us via email at: security@tauri.app.

Although we do not currently have a budget for security bounties, in some cases, we will consider rewarding coordinated disclosure with our limited resources.