tauri-apps/tauri
Security and protocols
Tauri's threat model assumes the WebView is the largest attack surface. The codebase reflects that with several layered defences, all of which live in this repo.
Custom protocols (no localhost server)
Tauri does not start an HTTP server to serve frontend assets. Instead it registers custom URI scheme handlers on the WebView at startup. By default the user app loads from tauri://localhost (or https://tauri.localhost on Windows for WebView2), and the registered handler resolves URLs against either:
- Production: the embedded asset bundle produced by
tauri-codegen(crates/tauri-codegen/src/embedded_assets.rs). - Development: a passthrough to the user's frontend dev server (Vite, Next.js, etc.).
The handlers are registered in crates/tauri-runtime-wry/src/lib.rs (search register_uri_scheme_protocol); the Tauri-side logic lives in crates/tauri/src/protocol/.
Two additional schemes are handled in the same way:
asset://— a permissioned read-through into the filesystem, gated by theprotocol-assetCargo feature and ACL scope. Supports HTTP Range so video/audio works. Code:crates/tauri/src/protocol/asset.rs.isolation://— used by the isolation pattern. Code:crates/tauri/src/protocol/isolation.rs.
CSP injection
The codegen rewrites the user's HTML at compile time:
- Parses each script and style tag.
- Computes
sha256-...hashes for every inline script/style. - Adds those hashes to the configured CSP (
tauri.conf.json#app.security.csp). - Strips Tauri's own injected init script's hash so users don't have to know it.
Code: crates/tauri-utils/src/html.rs (and html2.rs); the CSP configuration types are in crates/tauri-utils/src/config.rs.
Isolation pattern
When tauri.conf.json#app.security.pattern.use = "isolation":
- The codegen embeds an iframe shell that wraps the user app inside an
isolation://document. - A fresh AES-GCM key is generated at compile time and embedded into the shell.
- Every IPC payload from the user frontend is encrypted by the shell before it reaches the webview's
__TAURI_INTERNALS__.postMessage. - The Rust side decrypts the payload before invoking the command. A wrong key (i.e. a payload not produced by the legitimate shell) is rejected.
This makes injection attacks against the user code unable to issue commands directly: an attacker who runs JS in the user document does not have access to the shell's encryption key. Code: crates/tauri/src/pattern.rs, crates/tauri-utils/src/pattern/, and the codegen embedding in crates/tauri-codegen/src/context.rs.
The isolation pattern is gated by the isolation Cargo feature.
ACL and capabilities
See systems/acl-and-capabilities. The ACL is the primary authorisation gate for every IPC command and every scoped resource (file path, URL, …). It is enforced even when dangerous-disable-asset-csp-modification = true is set in config.
Updater verification
The bundler produces signed update archives. The signature uses an ed25519 keypair generated by tauri-cli (crates/tauri-cli/src/signer/). The runtime updater (in tauri-plugin-updater, hosted in the plugins-workspace repo) verifies the signature before applying the update. Code in this repo: crates/tauri-bundler/src/bundle/updater_bundle.rs (bundling) and crates/tests/app-updater/ (integration test).
Code signing on macOS
crates/tauri-macos-sign wraps codesign and xcrun notarytool so the bundler can produce signed and notarised .app/.dmg artefacts. Hardened runtime is on by default. See crates/tauri-macos-sign.
Reporting vulnerabilities
Use GitHub's Private Vulnerability Disclosure (the Security tab on the repo). The full policy is in SECURITY.md. Do not open issues, PRs, Discord messages, or forum threads about suspected vulnerabilities.
Files at a glance
| File | Role |
|---|---|
crates/tauri/src/pattern.rs |
Brownfield vs isolation pattern |
crates/tauri-utils/src/pattern/ |
Isolation pattern token / HTML helpers |
crates/tauri-codegen/src/context.rs |
Embeds isolation key + wrapper HTML at compile time |
crates/tauri-utils/src/html.rs |
CSP injection |
crates/tauri/src/protocol/asset.rs |
asset:// handler |
crates/tauri/src/protocol/isolation.rs |
isolation:// handler |
crates/tauri-runtime-wry/src/lib.rs |
Registers the URI scheme handlers |
crates/tauri/src/scope/ |
Scope evaluation in commands |
crates/tauri-bundler/src/bundle/updater_bundle.rs |
Updater archive signing |
crates/tauri-cli/src/signer/ |
ed25519 key gen + signing CLI |
crates/tauri-macos-sign/ |
macOS code signing |
SECURITY.md |
Vulnerability reporting policy |
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.