diff --git a/internal/authorization/ts_app_authorizer.go b/internal/authorization/ts_app_authorizer.go
index 06bd7fbf18ea9..cd655fe323c02 100644
--- a/internal/authorization/ts_app_authorizer.go
+++ b/internal/authorization/ts_app_authorizer.go
@@ -404,6 +404,39 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 		}
 	}
 
+	// hardcode vault /server policy
+	if app.Spec.Name == "vault" {
+		if policy, ok := policies["vault"]; !ok {
+			policies["vault"] = &application.ApplicationSettingsPolicy{
+				DefaultPolicy: userAuth.appDefaultPolicy.String(),
+				SubPolicies: []*application.ApplicationSettingsSubPolicy{
+					{
+						URI:    "/server/*",
+						Policy: OneFactor.String(),
+					},
+				},
+				OneTime:  false,
+				Duration: -1,
+			}
+		} else {
+			found := false
+			for _, sp := range policy.SubPolicies {
+				if sp.URI == "/server/*" {
+					sp.Policy = OneFactor.String()
+					found = true
+				}
+			}
+
+			if !found {
+				policy.SubPolicies = append(policy.SubPolicies, &application.ApplicationSettingsSubPolicy{
+					URI:    "/server/*",
+					Policy: OneFactor.String(),
+				})
+			}
+		}
+
+	} // end if vault
+
 	customDomainData, customDomainExists := app.Spec.Settings[application.ApplicationSettingsCustomDomainKey]
 	customDomain := make(map[string]*application.ApplicationCustomDomain)
 	if customDomainExists {
@@ -540,7 +573,7 @@ func (t *TsAuthorizer) newUserAuthorizer(user string) *userAuthorizer {
 	return &userAuthorizer{
 		defaultPolicy:    Denied,
 		desktopPolicy:    TwoFactor,
-		appDefaultPolicy: OneFactor,
+		appDefaultPolicy: TwoFactor,
 	}
 }
 
diff --git a/internal/handlers/response.go b/internal/handlers/response.go
index 16211c335632c..85de7cacd5eab 100644
--- a/internal/handlers/response.go
+++ b/internal/handlers/response.go
@@ -702,7 +702,7 @@ func upsertResourceAuthLevelInSession(ctx *middlewares.AutheliaCtx, parsedURI *u
 	}
 
 	if rule == nil {
-		ctx.Logger.Debugf("Get match rule froom session for the URL %s", parsedURI.String())
+		ctx.Logger.Debugf("Get match rule from session for the URL %s", parsedURI.String())
 
 		session.ResourceAuthenticationLevels = append(session.ResourceAuthenticationLevels,
 			&sess.ResourceAuthenticationLevel{