From 1dd81fa636cc9cbfd70a4c56320ab21b9de8709a Mon Sep 17 00:00:00 2001
From: Derek Nance <dnance@bitwarden.com>
Date: Thu, 29 Jan 2026 13:31:46 -0600
Subject: [PATCH] Restrict cookie vendor to self host using attribute

---
 src/Api/Controllers/SsoCookieVendorController.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Api/Controllers/SsoCookieVendorController.cs b/src/Api/Controllers/SsoCookieVendorController.cs
index 994ff392b5..4d45415a4f 100644
--- a/src/Api/Controllers/SsoCookieVendorController.cs
+++ b/src/Api/Controllers/SsoCookieVendorController.cs
@@ -1,4 +1,5 @@
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -10,6 +11,7 @@ namespace Bit.Api.Controllers;
 /// requests to this endpoint do not have the auth cookie stripped.
 /// </summary>
 [Route("sso-cookie-vendor")]
+[SelfHosted(SelfHostedOnly = true)]
 public class SsoCookieVendorController(IGlobalSettings globalSettings) : Controller
 {
     private readonly IGlobalSettings _globalSettings = globalSettings;