Skip to content

Using custom website icons

Jump to bottom Edit New page
Stefan Melmuk edited this page Jun 24, 2025 · 6 revisions

Note

This page is about the website icons displayed next your entries (when using the internal icon service). If you want to customize the look of the web-vault you should refer to Customize Vaultwarden CSS

Important

The clients will only request icons for entries where you have configured an Autofill URI. Be aware that you can also turn off website icons in your client settings, in which case the client will not request icons from Vaultwarden.

If you want to add custom icons for your website entries you can place them in the location of the ICON_CACHE_FOLDER (which defaults to data/icon_cache). The naming is based on the specified IP or fully qualified domain name (FQDN) of your entry, i.e. what Bitwarden calls Hostname in this graphic: bitwarden-uri-graphic
This means the scheme and port will be ignored when requesting icons, so you can't provide different icons based on the port number.

While the web-vault supports a couple of image types like ICO, BMP, GIF, JPG, WEBP and PNG, the cached icons themselves are always named <fqdn>.png or <IP>.png (eg. data/icon_cache/en.wikipedia.org.png). So you should name your custom icons accordingly.

How the icon cache expiration works

If an icon file already exists it will check its last modification time if it is outdated (which is configurable via ICON_CACHE_TTL). If it is expired, it will try to fetch a new icon instead of serving that icon. You can disable the expiration feature by setting ICON_CACHE_TTL=0 so that Vaultwarden will keep any existing icon locally cached forever.

If setting ICON_CACHE_TTL=0 is not an option for you (because you want to get new icons for most websites and only provide a few custom ones), you can also write a cron job that regularly calls touch on your custom placed icons so their modification time is kept fresh and they won't expire.

Important

By default ICON_CACHE_TTL is set to 2592000 seconds so if you don't disable expiration or regularly update the modification time any manually placed icon will be ignored and possible overwritten after 30 days.

If fetching an icon fails (for whatever reason), Vaultwarden will create an (empty) .miss file for that domain (e.g. data/icon_cache/en.wikipedia.org.png.miss) in the ICON_CACHE_FOLDER and not try fetching an icon again for ICON_CACHE_NEGTTL and instead serve an fallback icon instead. The miss file is removed automatically on a new request once the miss file has expired. (Expired in this case means its age is larger than ICON_CACHE_NEGTTL seconds which defaults to 3 days.)

Important

As long as there is an .miss file (that has not yet expired) Vaultwarden will always serve the fallback icon even if there is a valid icon. So remove the corresponding miss file for any custom icon you have created or which modification time you have updated.

Website Icon Troubleshooting

If you have not disabled icon download (DISABLE_ICON_DOWNLOAD) Vaultwardens internal icon service will download the requested icon from a given resource. This is done using a network request to the given domain / ip (disregarding the port). If your Vaultwarden server cannot make outgoing requests (e.g. because of missing internet access) downloading new icons will not work.

By default, Vaultwarden will also block certain IP ranges which it considers non-global (i.e. your private network) due to security concerns. You can also further configure which hosts Vaultwarden should block additionally by specifying a HTTP_REQUEST_BLOCK_REGEX.

If you set ICON_CACHE_NEGTTL=0 you disable the expiration of the miss indicator which means that Vaultwarden will always serve the default fallback icon for the given domain.

Add a custom footer

FAQs

  1. FAQs
  2. Audits
  3. Supporting upstream development

Troubleshooting

  1. Logging
  2. Bitwarden Android troubleshooting

Container Image Usage

  1. Which container image to use
  2. Starting a container
  3. Using Docker Compose
  4. Using Podman
  5. Updating the vaultwarden image

Reverse Proxy

  1. Proxy examples
  2. Using an alternate base dir (subdir/subpath)

HTTPS

  1. Enabling HTTPS
  2. Running a private vaultwarden instance with Let's Encrypt certs

Configuration

  1. Overview
  2. Enabling admin page
  3. SMTP configuration
  4. Disable registration of new users
  5. Disable invitations
  6. Enabling WebSocket notifications
  7. Enabling Mobile Client push notification
  8. Other configuration

Database

  1. Using the MariaDB (MySQL) Backend
  2. Using the PostgreSQL Backend
  3. Running without WAL enabled
  4. Migrating from MariaDB (MySQL) to SQLite

Security

  1. Hardening Guide
  2. Password hint display
  3. Enabling U2F and FIDO2 WebAuthn authentication
  4. Enabling YubiKey OTP authentication
  5. Fail2Ban Setup
  6. Fail2Ban + ModSecurity + Traefik + Docker

Performance

  1. Changing the API request size limit
  2. Changing the number of workers

Customization

  1. Translating the email templates
  2. Translating admin page
  3. Customize Vaultwarden CSS
  4. Using custom website icons
  5. Disabling or overriding the Vault interface hosting

Backup

  1. General (not docker)
  2. Backing up your vault

Development

  1. Building binary
  2. Building your own docker image
  3. Git hooks
  4. Differences from the upstream API implementation

Alternative deployments

  1. Pre-built binaries
  2. Creating a systemd service
  3. Third-party packages
  4. Deployment examples
  5. Disable the admin token

Other Information

  1. Importing data from Keepass or KeepassX
  2. Changing persistent data location
  3. Syncing users from LDAP
  4. Caddy 2.x with Cloudflare DNS
  5. Logrotate example
Clone this wiki locally