I have set
SIGNUPS_ALLOWED=false, however one still can complete the registration form. Only on submission of the form the registrant is informed that registration is not possible.
It would be better to completely hide the (link to the) form completely. This improves security.
This is not something we can dynamically hide or show.
We use the web-vault from Bitwarden with just a few minor tweaks.
Also, you can still invite people which then still need to follow that flow and use that button.
If you really want you can hide it your self by adding some css to the main.*.css file of the web-vault.
But besides that, if that flag is set to false, it doesn’t increase security by removing that button, since it just won’t work on the server side.
Also, entering the correct url will still show that page in the end.
Clear, I will look at the css option.
With regards to the security:
Any information about getting access to a system is useful for potential hackers.
Not showing there is a “door” is safer than showing the “door”.
But I understand Vaultwarden is bound by the functionality of Bitwarden.
Not showing a door but still provide the blueprints of the building out in the open will not prevent bad people from getting access to the door. Which is exactly this case with all the source of Vaultwarden and Bitwarden in the open ;).