Security Considerations¶
Local vs Remote Access¶
| Mode | Binding | Authentication | Use Case |
|---|---|---|---|
| Local (default) | 127.0.0.1 |
Optional | Development, testing |
| Remote | 0.0.0.0 |
Required | Production, multi-user |
Token Authentication¶
When remote=True or auth_token is provided:
- All API requests require the
Authorization: Bearer <token>header - Tokens are compared using constant-time comparison to prevent timing attacks
- Auto-generated tokens are 32-character hex strings (128 bits of entropy)
Best Practices¶
Production Deployment
For production deployments, always:
- Use
remote=Truewith a strong custom token - Deploy behind a reverse proxy (nginx, Caddy) with HTTPS
- Restrict access using firewall rules
- Consider disabling the web UI (
serve_ui=False) if not needed
Token Management
- Store tokens securely (environment variables, secrets manager)
- Rotate tokens periodically
- Use different tokens for different environments