All posts
securitytunnelingdeveloper tools

How to Share Your Localhost Securely Without Leaving a Door Open

May 19, 2026·5 min read·DevNet

Sharing a local development server with a client or teammate is one of those things that sounds simple but quietly creates real security risk. You run a command, get a public URL, and share it. But that URL is now live on the internet — and unless you've taken explicit steps to control access, anyone who finds it can hit your localhost.

This guide covers the specific controls that matter and how to use them.

Why an open tunnel is riskier than it looks

Your local dev server often has things you wouldn't expose in production: debug endpoints, unauthenticated admin routes, seed data with real-looking user records, .env variables accidentally printed to the console, or hot-reload websockets that expose your file tree.

A public tunnel URL doesn't expire on its own. It stays alive until you kill the process — or your laptop goes to sleep and you forget about it. In the meantime, that URL can be indexed by scanners, shared accidentally in a Slack export, or picked up by bots crawling for open dev servers.

The risk isn't hypothetical. It's the natural consequence of the tool doing exactly what it was designed to do.

Control 1: Per-device approval

The most direct protection is requiring explicit approval before anyone can access your tunnel. When a new device visits the URL for the first time, they see a waiting screen. Your terminal shows you the device details — browser, IP address — and asks you to approve or deny.

devnet share 3000

That's all you need. Per-device approval is on by default. Every new device has to wait for you to respond before they get through. Approved sessions are remembered for the lifetime of the tunnel, so your client doesn't get prompted on every page load.

The approval prompt shows up in your terminal in real time. If you see a request from an IP you don't recognize, deny it.

Control 2: TTL expiry

Tunnels that don't expire are a liability. The longer a URL is live, the larger the window for something to go wrong.

DevNet tunnels expire automatically. You pick the TTL when you start the tunnel:

devnet share 3000 --ttl 15m   # 15 minutes
devnet share 3000 --ttl 1h    # 1 hour (default)
devnet share 3000 --ttl 24h   # 24 hours (Pro)

When the TTL hits, the tunnel closes and the URL goes dead. There's nothing to clean up and nothing left open by accident.

For quick demos, use --ttl 15m. For a working session with a client, --ttl 1h is usually enough. The 24-hour option is there for Pro users running longer-lived integrations.

Control 3: IP whitelisting

If you know exactly who needs access — say, it's just your client's office IP or a specific teammate — you can lock the tunnel to that IP entirely:

devnet share 3000 --allow-ip 203.0.113.42

Any request from any other IP gets blocked immediately, before the approval prompt even appears. This is the tightest access control DevNet offers, and it's useful any time you're sharing with someone whose IP you know in advance.

You can pass multiple IPs:

devnet share 3000 --allow-ip 203.0.113.42 --allow-ip 198.51.100.7

Control 4: Password protection

IP whitelisting isn't always practical — clients work from home, switch networks, use VPNs. For those cases, a password gives you a second layer without needing to know the IP:

devnet share 3000 --password supersecret

Visitors hit a password prompt before they even reach the waiting-for-approval screen. Wrong password, no access.

Password protection pairs well with the email invite flag, which sends the tunnel URL directly to a recipient's inbox:

devnet share 3000 --password supersecret --invite client@example.com

They get the URL, you give them the password out of band (over a call, a DM), and nobody else who stumbles across the URL can get through.

Combining controls

These options compose. For a client demo where you want tight control:

devnet share 3000 --ttl 1h --password mysecret --invite client@example.com

For an internal session with a colleague on a known network:

devnet share 3000 --ttl 30m --allow-ip 198.51.100.0/24

For a quick look that needs to expire fast:

devnet share 3000 --ttl 15m

The default is already safe

If you just run devnet share 3000 with no flags, per-device approval is still on. Nobody gets through without you responding to the prompt in your terminal. The 1-hour TTL means the URL dies automatically.

The options above let you tighten things further when the situation calls for it. But the baseline isn't "open to the internet and hope for the best" — it's "nobody gets in until you say so."

That's the design principle behind DevNet: access control is built into every tunnel, not bolted on as an afterthought.

Ready to start? Get DevNet free → No credit card required.

Ready to try DevNet?

Start tunneling in under a minute. Free, no credit card required.

Get started free →