Open-Source Wikis

/

Tauri

/

Systems

/

Security and protocols

tauri-apps/tauri

Security and protocols

Tauri's threat model assumes the WebView is the largest attack surface. The codebase reflects that with several layered defences, all of which live in this repo.

Custom protocols (no localhost server)

Tauri does not start an HTTP server to serve frontend assets. Instead it registers custom URI scheme handlers on the WebView at startup. By default the user app loads from tauri://localhost (or https://tauri.localhost on Windows for WebView2), and the registered handler resolves URLs against either:

  • Production: the embedded asset bundle produced by tauri-codegen (crates/tauri-codegen/src/embedded_assets.rs).
  • Development: a passthrough to the user's frontend dev server (Vite, Next.js, etc.).

The handlers are registered in crates/tauri-runtime-wry/src/lib.rs (search register_uri_scheme_protocol); the Tauri-side logic lives in crates/tauri/src/protocol/.

Two additional schemes are handled in the same way:

  • asset:// — a permissioned read-through into the filesystem, gated by the protocol-asset Cargo feature and ACL scope. Supports HTTP Range so video/audio works. Code: crates/tauri/src/protocol/asset.rs.
  • isolation:// — used by the isolation pattern. Code: crates/tauri/src/protocol/isolation.rs.

CSP injection

The codegen rewrites the user's HTML at compile time:

  1. Parses each script and style tag.
  2. Computes sha256-... hashes for every inline script/style.
  3. Adds those hashes to the configured CSP (tauri.conf.json#app.security.csp).
  4. Strips Tauri's own injected init script's hash so users don't have to know it.

Code: crates/tauri-utils/src/html.rs (and html2.rs); the CSP configuration types are in crates/tauri-utils/src/config.rs.

Isolation pattern

When tauri.conf.json#app.security.pattern.use = "isolation":

  • The codegen embeds an iframe shell that wraps the user app inside an isolation:// document.
  • A fresh AES-GCM key is generated at compile time and embedded into the shell.
  • Every IPC payload from the user frontend is encrypted by the shell before it reaches the webview's __TAURI_INTERNALS__.postMessage.
  • The Rust side decrypts the payload before invoking the command. A wrong key (i.e. a payload not produced by the legitimate shell) is rejected.

This makes injection attacks against the user code unable to issue commands directly: an attacker who runs JS in the user document does not have access to the shell's encryption key. Code: crates/tauri/src/pattern.rs, crates/tauri-utils/src/pattern/, and the codegen embedding in crates/tauri-codegen/src/context.rs.

The isolation pattern is gated by the isolation Cargo feature.

ACL and capabilities

See systems/acl-and-capabilities. The ACL is the primary authorisation gate for every IPC command and every scoped resource (file path, URL, …). It is enforced even when dangerous-disable-asset-csp-modification = true is set in config.

Updater verification

The bundler produces signed update archives. The signature uses an ed25519 keypair generated by tauri-cli (crates/tauri-cli/src/signer/). The runtime updater (in tauri-plugin-updater, hosted in the plugins-workspace repo) verifies the signature before applying the update. Code in this repo: crates/tauri-bundler/src/bundle/updater_bundle.rs (bundling) and crates/tests/app-updater/ (integration test).

Code signing on macOS

crates/tauri-macos-sign wraps codesign and xcrun notarytool so the bundler can produce signed and notarised .app/.dmg artefacts. Hardened runtime is on by default. See crates/tauri-macos-sign.

Reporting vulnerabilities

Use GitHub's Private Vulnerability Disclosure (the Security tab on the repo). The full policy is in SECURITY.md. Do not open issues, PRs, Discord messages, or forum threads about suspected vulnerabilities.

Files at a glance

File Role
crates/tauri/src/pattern.rs Brownfield vs isolation pattern
crates/tauri-utils/src/pattern/ Isolation pattern token / HTML helpers
crates/tauri-codegen/src/context.rs Embeds isolation key + wrapper HTML at compile time
crates/tauri-utils/src/html.rs CSP injection
crates/tauri/src/protocol/asset.rs asset:// handler
crates/tauri/src/protocol/isolation.rs isolation:// handler
crates/tauri-runtime-wry/src/lib.rs Registers the URI scheme handlers
crates/tauri/src/scope/ Scope evaluation in commands
crates/tauri-bundler/src/bundle/updater_bundle.rs Updater archive signing
crates/tauri-cli/src/signer/ ed25519 key gen + signing CLI
crates/tauri-macos-sign/ macOS code signing
SECURITY.md Vulnerability reporting policy

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Security and protocols – Tauri wiki | Factory