From 9e34034a9feb8daa4fd960ab25003ee5154cc0d1 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Sun, 25 Dec 2022 13:47:49 +0100
Subject: [PATCH] Add ref to https://github.com/debops/debops/issues/1233. I
 previously referred to it from
 https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples. This is a
 better/more central spot.

---
 Hardening-Guide.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Hardening-Guide.md b/Hardening-Guide.md
index c0ca2b1..8beeec1 100644
--- a/Hardening-Guide.md
+++ b/Hardening-Guide.md
@@ -77,4 +77,6 @@ See: [[Fail2Ban Setup|Fail2Ban Setup]]
 
 ## Hiding under a subdir
 
-Traditionally, a Bitwarden instance resides at the root of a subdomain (i.e., `bitwarden.example.com`, and not `bitwarden.example.com/some/path`). The upstream Bitwarden server currently only supports subdomain roots, while vaultwarden adds support for [[alternate base directories|Using-an-alternate-base-dir]]. For some users, this is useful simply because they only have access to one subdomain and want to run multiple services under different directories. In such cases, they typically choose something obvious like `mysubdomain.example.com/bitwarden`. However, you can also use this to provide an extra layer of protection by putting vaultwarden under something like `mysubdomain.example.com/bitwarden/<mysecretstring>`, where `<mysecretstring>` effectively acts as a password. Some may argue that this is [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity), but it's actually [defense in depth](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)) -- the secrecy of the subdir is just an extra layer of security, and not intended to be the primary means of security (which is still the strength of a user's master password).
\ No newline at end of file
+Traditionally, a Bitwarden instance resides at the root of a subdomain (i.e., `bitwarden.example.com`, and not `bitwarden.example.com/some/path`). The upstream Bitwarden server currently only supports subdomain roots, while vaultwarden adds support for [[alternate base directories|Using-an-alternate-base-dir]]. For some users, this is useful simply because they only have access to one subdomain and want to run multiple services under different directories. In such cases, they typically choose something obvious like `mysubdomain.example.com/bitwarden`. However, you can also use this to provide an extra layer of protection by putting vaultwarden under something like `mysubdomain.example.com/bitwarden/<mysecretstring>`, where `<mysecretstring>` effectively acts as a password. Some may argue that this is [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity), but it's actually [defense in depth](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)) -- the secrecy of the subdir is just an extra layer of security, and not intended to be the primary means of security (which is still the strength of a user's master password).
+
+For general discussion about subpath hosting for security refer to: https://github.com/debops/debops/issues/1233
\ No newline at end of file