Tunnels expose your local machine to the internet. That's the whole point — but it also means you need to be deliberate about security. Here are essential practices every Tunels user should follow.

1. Only Tunnel What You Need

Don't tunnel your entire machine. Tunels forwards traffic to a specific port, and you should only expose the port running your application server. Never tunnel management ports (database admin panels, debug ports) without authentication.

2. Use Authentication

For any tunnel that will be accessed by others, enable authentication:

# Basic auth
tunels http 3000 --auth "user:strongpassword"

# IP restrictions (Gold+)
tunels http 3000 --ip-allow "10.0.0.0/8"

This prevents unauthorized access to your development server.

3. Verify Webhook Signatures

When testing webhooks, always validate the signature in your handler. Services like Stripe, GitHub, and Slack sign their payloads. Even in development, practice proper signature verification:

// Stripe example (Node.js)
const sig = req.headers['stripe-signature'];
const event = stripe.webhooks.constructEvent(
    req.body, sig, endpointSecret
);

4. Don't Commit Tunnel URLs

Never hardcode tunnel URLs in your codebase or commit them to version control. Use environment variables:

API_URL=https://myapp.tunels.io npm start

5. Shut Down Tunnels When Idle

Leaving tunnels running overnight or over weekends creates unnecessary exposure. Tunels automatically times out idle tunnels based on your plan, but it's good practice to shut them down manually when you're done.

6. Monitor Tunnel Activity

Use the Tunels web UI at http://localhost:4040 to monitor all incoming requests. Look for:

  • Unexpected request patterns (scanning bots)
  • Requests from unknown IP addresses
  • High request volumes that might indicate abuse

7. Keep Your Local Services Updated

When you tunnel a service, you're exposing it to the internet. Make sure your local development frameworks and dependencies are up to date with security patches.

8. Use TLS (It's Automatic)

All Tunels connections use TLS encryption by default. The control channel between your client and the Tunels server is encrypted, and public-facing tunnel URLs use HTTPS with valid certificates. Never disable TLS verification in your applications.

Conclusion

Tunneling is a powerful development tool, but like any tool that touches the internet, it requires security awareness. Follow these practices and you can develop confidently knowing your environment is protected.