Skip to content
Tauri

Security

This page is designed to explain the high-level concepts and security features at the core of Tauri’s design and ecosystem that make you, your applications and your users more secure by default.

It also includes advice on best practices, how to report vulnerabilities to us and references to detailed concept explanations.

Trust Boundaries

Tauri’s security model differentiates between Rust code written for the application’s core and frontend code written in any framework or language understood by the system WebView.

The IPC layer is the bridge for communication between these two trust groups and ensures that boundaries are not broken.

IPC Diagram

Any code executed by the plugins or the application core has full access to all available system resources and is not constrained.

Any code executed in the WebView only has access to system resources via the well-defined IPC layer. Access to core application commands is configured and restricted by capabilities defined in the application configuration. The individual command implementations enforce the optional fine-grained access levels also defined in the capabilities configuration.

Learn more about the individual components and boundary enforcement:

Tauri allows developers to choose their own frontend stack and framework. This means that we cannot provide a hardening guide for every frontend stack of of choice, but Tauri provides generic features to control and contain the attack surface.

Ecosystem

The Tauri organization provides and maintains more than just the Tauri repository and to ensure that our efforts to provide a reasonable secure multi platform application framework we need to go some extra miles.

To learn more about how we secure our development process, what you could adapt and implement, what known threats your application can face and what we plan to improve or harden in the future, you can check out the following documents:

Coordinated Disclosure

If you feel that there is a security concern or issue with anything in Tauri or other repositories in our organization, please do not publicly comment on your findings. Instead, reach out directly to our security team.

The preferred disclosure method is via Github Vulnerability Disclosure on the affected repository. Most of our repositories have this feature enabled but if in doubt please submit via the Tauri repository.

Alternatively you can contact us via email at: security@tauri.app.

Although we do not currently have a budget for security bounties, in some cases, we will consider rewarding coordinated disclosure with our limited resources.


© 2024 Tauri Contributors. CC-BY / MIT