WebAuth Frame Blocked Only in Desktop Client


I’ve slowly been transitioning to a self-hosted vaultwarden instance, but noticed that I cannot use the desktop bitwarden apps with FIDO 2FA enabled. The frame responsible for handling the authentication hangs on loading, I belive it is because the X-Frame-Options header is set to sameorigin. I have vaultwarden behind an Apache2 proxy as specified in the proxy examples, but I cannot see anything in my configuration that might set up that header.

Would you happen to know if this is something I need to fix within Apache2 or if this header is added by vaultwarden?

Within the proxy examples there is nothing about those headers.
And, you shouldn’t add those. They will be added by Vaultwarden automatically when needed.

So, remove those extra headers from the Apache config.


I had slightly tweaked the examples, but the changes I did make (mod_md and HSTS) shouldn’t have added that header. I dug around a bit more and it was set in one of the global config files (-_(\). I forgot that it was possible to set global stuff and didn’t expect it to be in another unrelated file. I probably added it at some point and forgot it ever existed.

Thank you for ruling out vaultwarden! I’m happy I can finally use desktop clients.