Security

One public listener, one secret, no browser surface. Every choice keeps the attackable area as small as possible.

A small surface

Not publicly listening

The API binds localhost only, hardcoded, not overridable, and Caddy is the single public listener that proxies the server's IP to it. No browser surface, so no CSRF, sessions, or cookies.

Reveals nothing

Hit the IP without a valid token, or any unknown URL, and you get a plain 404, identical to a missing file. Nothing advertises that an authenticated API exists.

Authenticated calls return 200; everything else is an indistinguishable 404.

One secret, strict paths

One secret, no config

Every path is fixed; the only per-install input is one token in /etc/localhoster/token (a file, not an env var, which would leak via /proc), compared in constant time.

Strict paths

Paths are split on / and every segment must be a non-dot, URL-safe name; traversal, absolute paths, empty segments and odd bytes are rejected before touching disk, then confined to the content root and refused through symlinks.

Certificates

No cert abuse

Caddy only issues a certificate for a domain the API confirms has a folder, via a localhost-only gate, so nobody can force issuance for domains you don't host.

Encrypted by IP

The client reaches the API at https://<ip> over a self-signed cert; the bearer token authenticates you. Prefer full verification? Point a hostname you own at the box and use that.

Ready? Set up the server →