v1.0.231
✨ New: optional token auth for remote access
Exposing cockpit beyond your own machine — a tunnel, a LAN, a reverse proxy — used to mean anyone with the URL was in. You can now require a token for any non-local request, while local access stays frictionless.
cockpit --token <your-secret> # off by default — omit it and nothing changes- Local stays open. Requests from localhost — your browser on the host, the
cockCLI,/cgcurls, the self-probe — are exempt and never need a token. - Remote must present the token, in any of three ways: an
Authorization: Bearer <token>header, acockpit_tokencookie, or?token=<token>on first visit (which sets the cookie and redirects to strip the param back out of the URL). - Tunnel-aware. A forwarding header (
X-Forwarded-For/X-Real-IP/Forwarded) drops local trust, so a same-host tunnel or proxy — ngrok, Caddy, nginx — can't pose as localhost. HTTP, WebSocket, and the share server are all gated.
Set it with the flag, or the COCKPIT_TOKEN environment variable.
🐛 Fix: session search finds the right session
Searching the Recent Sessions and session-list modals now matches a session's summary/title and its full message text. Before, the summary line (kept only on disk) was never part of the search, and message text was truncated to 50 characters and sampled (first 5 + last 5 messages) — so long tails and mid-conversation matches silently fell through. Both modals now search the complete text.
📦 Misc: clearer tool-call titles
The tool-call modal now shows the query for ToolSearch and the subject for TaskCreate as its title line, the way Grep already shows its pattern.