HTTP Response validation diagnostics errors in Vaultwarden

tommi · December 21, 2025, 7:58am

What app is this about, and its version: Vaultwarden v1.34.3~ynh3
What YunoHost version are you running: 12.1.37
What type of hardware are you using: VPS bought online

Describe your issue

In the /admin/diagnostics page of my Vaultwarden server, I see the following errors, related to time discrepancies but most importantly to HTTP Response validation. Any suggestions on how to solve them?

Share relevant logs or error messages

API calls:
Header: ‘x-xss-protection’ does not contain ‘0’
Header: ‘content-security-policy’ does not contain ‘default-src ‘none’’
Header: ‘content-security-policy’ does not contain ‘font-src ‘self’’
Header: ‘content-security-policy’ does not contain ‘manifest-src ‘self’’
Header: ‘content-security-policy’ does not contain ‘base-uri ‘self’’
Header: ‘content-security-policy’ does not contain ‘form-action ‘self’’
Header: ‘content-security-policy’ does not contain ‘object-src ‘self’ blob:’
Header: ‘content-security-policy’ does not contain ‘script-src ‘self’ ‘wasm-unsafe-eval’’
Header: ‘content-security-policy’ does not contain ‘style-src ‘self’ ‘unsafe-inline’’
Header: ‘content-security-policy’ does not contain ‘child-src ‘self’ https://*.duosecurity.com https://*.duofederal.com’
Header: ‘content-security-policy’ does not contain ‘frame-src ‘self’ https://*.duosecurity.com https://*.duofederal.com’
Header: ‘content-security-policy’ does not contain ‘frame-ancestors ‘self’ chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*’
Header: ‘content-security-policy’ does not contain ‘img-src ‘self’ data: https://haveibeenpwned.com’
Header: ‘content-security-policy’ does not contain ‘connect-src ‘self’ https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net’
2FA Connector calls:
Header: ‘x-xss-protection’ does not contain ‘0’
Header: ‘x-frame-options’ is present while it should not
Header: ‘content-security-policy’ is present while it should not

marc · December 23, 2025, 10:24pm

Hi,

I have the same errors, but no problem in my case.

it is written “API calls”. So i suppose that they may occur if you use APIs

But i don’t…

orhtej2 · January 4, 2026, 9:39pm

Incoming fix HTTP security header validation errors by b4D8 · Pull Request #306 · YunoHost-Apps/vaultwarden_ynh · GitHub, stay tuned!

tommi · January 4, 2026, 9:53pm

Thank you!

system · January 19, 2026, 9:53pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.