-
Notifications
You must be signed in to change notification settings - Fork 0
Security and Privacy
Public GhostlyShare links expose the selected local app to the internet.
Only expose apps you own, trust, and are allowed to share. Public links are useful for demos, temporary reviews, webhook testing, and quick device testing, but they should still be treated carefully.
GhostlyShare is intended for lawful development, testing, demos, and quick sharing of local apps from your own device.
Do not use GhostlyShare for illegal content, malware, phishing, spam, copyright infringement, privacy violations, unauthorized access, or any other harmful or abusive activity. See the repository Responsible Use policy for the full policy text.
Do not expose:
- Private admin panels.
- Company-internal systems.
- Database tools.
- Operating system or router services.
- Infrastructure, VPN, printer, or proxy services.
- Anything that contains private customer, company, or personal data.
GhostlyShare intentionally hides some system and infrastructure ports to reduce the chance of accidental exposure.
Anyone who has a public link can try to open it. Treat every public URL as internet reachable, even when you plan to share it with only a small group.
Password protection protects the GhostlyShare public link. When it is enabled, visitors must enter the password before GhostlyShare forwards traffic to the local app.
This is useful for private demos and temporary testing, but the local app should still be treated carefully. Password protection is not a full user-management system and does not replace careful sharing.
Password visitor sessions expire. The default is 30 minutes, and failed password attempts from the same visitor are locked for 5 minutes after the configured limit is reached. See Password Protection for the exact behavior.
Link lifetime can automatically take a public link offline after a selected time. This is useful for demos and short tests where you do not want a link to stay open by accident.
Link lifetime is not access control. Anyone with the link can still reach it until it expires, unless password protection is also enabled. See Link Lifetime for limits and CLI examples.
Traffic statistics are simple local counters for the current public-link session. They can help you see basic activity such as requests, approximate visitors, and active users while a link is live.
They are not full analytics, monitoring, access control, or a security audit. Do not use them as a reason to expose sensitive services.
Never post these in public GitHub issues:
- Cloudflare API tokens.
- Passwords.
- Private public URLs.
- Logs that contain secrets.
- Customer or company data.
Remove or redact secrets before posting logs or examples.
- Home
- Installation
- Getting Started
- Command Line Interface
- Security and Privacy
- App Detection
- App Merging
- Going Public
- Traffic Statistics
- Link Lifetime
- Password Protection
- Rate Limits and Sessions
- Custom Domains
- Cleanup and Uninstall
- Known Limitations
- Windows and Linux
- Troubleshooting
- Report Bugs / Request Features
- Testing Checklist
- FAQ