[archi42]

1. If an attacker got your credentials, they'll probably also have the server URL. Reasoning: They probably infected your machine with infostealer malware and keylogged the password. Or are you using the exact same credentials someplace else?

2. If they can figure out your domain name, they can check crt.sh for "mysecrectvaultwarden.domain.tld". If that only reveals wildcard certs and they're really interested in you or your company, they could try bruteforcing the DNS name.

3. If they breach the vaultwarden server and in case you're using the web UI, they can try to inject some JS to steal the credentials.

What I do to mitigate this: 1. Vaultwarden only reachable via VPN (e.g. wireguard on OpnSense) 2. Custom CA on all devices (e.g. step-ca with name constraints and local ACME [careful to put DHCP clients on a subdomain!]) 3. DNS for my LAN+VPN is not public. This massively reduces the external attack surface, compared to having a bunch of services available behind traefik.

[andix]

I know it's not really secure, it's just hidden to some extent. In a way that an average attacker probably wouldn't find it right away. If someone is really looking for it, it can be found.

A VPN would provide better security for sure. But also make it harder to use (VPN needed on all devices).