Warning
Work in Progress / Early Beta
This project is currently under construction and in a very early beta stage. Expect frequent updates, potential bugs, and incomplete features.
Bastion Browser is an advanced Remote Browser Isolation (RBI) solution designed to provide an impenetrable security layer between the user and threats from the public web. By running browsing sessions in an isolated container on the server and streaming only an interactive visual feed, Bastion eliminates the risk of malicious code execution directly on the local machine.
Bastion transforms web browsing into a secure, interactive service:
- Real-Time Interactive Browsing: Full keyboard and mouse control over a remote Chromium instance.
- High-Speed Screencast: Smooth transmission via optimized WebSockets.
- Tab Management: Dynamic multi-tab support within a sealed environment.
- Search Engine Integration: Quick access to Startpage, Brave, and Google with enhanced privacy.
- Secure Downloads: Staging system that intercepts files on the server before final local transfer.
- Secure Uploads: Support for uploading files from the local machine to the remote browser session.
Security is not an option; it is the architecture upon which Bastion is built:
Each user connection generates a completely unique and separate browser context (Incognito Context). There is no data persistence between sessions and no information leakage between different users.
A dynamic validation engine analyzes every URL before navigation. It proactively blocks access to:
- Internal networks (127.0.0.1, 192.168.x.x, etc.)
- Cloud provider metadata (AWS, Google Cloud, Azure).
- Private ports and services within the server ecosystem.
Mandatory access control layer for all WSS tunnels and API endpoints. Only clients possessing the secret key can interact with the navigation engine.
All traffic, from mouse movements to browser frames, travels through HTTPS/WSS tunnels protected by TLS certificates.
Strict limitation of:
- Total concurrent sessions.
- Maximum number of tabs per session.
- Timeouts for downloads and connections.
- Frontend: React 18, Vite, TypeScript, Lucide Icons.
- Backend: Node.js, Express, WebSocket (ws).
- Browser Control: Puppeteer Extra with Stealth Plugin (to avoid bot detection).
- Security: Helmet.js, Crypto Encryption, SSRF URL Validation.
- Containerization: Docker & Docker Compose.
If you are using CasaOS, you can install Bastion Browser and have it show up in your dashboard with a single command:
git clone https://github.com/InledGroup/bastion.browser.git && cd bastion.browser && docker compose up -d --build- Clone the repository:
git clone https://github.com/InledGroup/bastion.browser.git cd bastion.browser - Configure environment (Optional):
Edit the
.envfile to set yourAPI_KEYandPORT. - Start the application:
docker compose up -d --build
The service will be available at https://localhost:112 (or your configured port).
# Clone the repository
git clone https://github.com/InledGroup/bastion.browser.git
cd bastion.browser
# Build and run using the helper script
chmod +x build_and_run.sh
./build_and_run.shBastion is oriented towards:
- Threat Research: Analyzing suspicious URLs without risk to the local machine.
- Extreme Privacy: Browsing from a clean server IP with no local traces.
- Corporate Environments: Providing a secure gateway for uncategorized websites.
This software is designed for educational and defensive security purposes. Use of this tool for malicious activities is strictly prohibited. The author is not responsible for any misuse of the technology presented here. If you decide to use this software for illegal purposes, it is your problem. Furthermore, the author is not responsible for any data loss that may occur through the use of this tool or security issues that may arise from its use. You are responsible for auditing whether this tool and its code fit your needs and the threat you wish to mitigate.
Developed with ❤️ by JaimeGH, from Inled Group