Skip to content

Security and Privacy

Jump to bottom
Nix edited this page May 30, 2026 · 5 revisions

Security and Privacy

Public GhostlyShare links expose the selected local app to the internet.

Only expose apps you own, trust, and are allowed to share. Public links are useful for demos, temporary reviews, webhook testing, and quick device testing, but they should still be treated carefully.

Do Not Expose Sensitive Services

Do not expose:

  • Private admin panels.
  • Company-internal systems.
  • Database tools.
  • Operating system or router services.
  • Infrastructure, VPN, printer, or proxy services.
  • Anything that contains private customer, company, or personal data.

GhostlyShare intentionally hides some system and infrastructure ports to reduce the chance of accidental exposure.

Password Protection

Password protection protects the GhostlyShare public link. When it is enabled, visitors must enter the password before GhostlyShare forwards traffic to the local app.

This is useful for private demos and temporary testing, but the local app should still be treated carefully. Password protection is not a full user-management system and does not replace careful sharing.

Password visitor sessions expire. The default is 30 minutes, and failed password attempts from the same visitor are locked for 5 minutes after the configured limit is reached. See Password Protection for the exact behavior.

Link Lifetime

Link lifetime can automatically take a public link offline after a selected time. This is useful for demos and short tests where you do not want a link to stay open by accident.

Link lifetime is not access control. Anyone with the link can still reach it until it expires, unless password protection is also enabled. See Link Lifetime for limits and CLI examples.

Traffic Statistics

Traffic statistics are simple local counters for the current public-link session. They can help you see basic activity such as requests, approximate visitors, and active users while a link is live.

They are not full analytics, monitoring, access control, or a security audit. Do not use them as a reason to expose sensitive services.

Public Issues

Never post these in public GitHub issues:

  • Cloudflare API tokens.
  • Passwords.
  • Private public URLs.
  • Logs that contain secrets.
  • Customer or company data.

Remove or redact secrets before posting logs or examples.

GhostlyShare

Clone this wiki locally