If you discover a security vulnerability, please report it privately by opening a GitHub Security Advisory.

Do not open a public issue for security vulnerabilities.

OpenBrowser manages authenticated browser sessions. Security-relevant areas include:

• CDP port exposure: CDP must only listen on 127.0.0.1. Any configuration that exposes CDP to the network is a vulnerability.
• Chrome profile data: Contains cookies, tokens, and session data for all logged-in accounts.
• VNC sessions: Must be ephemeral (auto-terminate after disconnect) with random passwords.
• TOTP secrets: Must be stored with restrictive permissions (chmod 600).
• Backup files: Contain full Chrome profiles and must not be accessible to unauthorized users.

• Server mode runs Chrome as root. The default systemd service has no User= directive, so Chrome runs as root with --no-sandbox. This is standard for single-purpose VPS setups but is not recommended for shared servers. Create a dedicated user if your server runs other services.
• Docker network exposure. Inside the container, socat binds CDP to 0.0.0.0 (required for Docker port mapping). The compose file binds the host port to 127.0.0.1, so the host is protected. However, other containers on the same Docker network can reach CDP directly. Do not place OpenBrowser on a shared Docker network with untrusted containers. CDP has no authentication layer.
• Backup files contain session data. Chrome profile backups include cookies and tokens. Protect backup files with restrictive permissions and do not store them on shared or unencrypted storage.

• CDP binds to 127.0.0.1 only, never 0.0.0.0 (except inside Docker containers where socat is required)
• Docker compose binds to 127.0.0.1 by default
• VNC uses -once flag, random per-session passwords, and a 10-minute timeout
• No secrets are stored in the repository
• Chrome profile, TOTP secrets, and backups are in .gitignore