Ngrok Security & Access Rules

Beginner

Enforce security standards for ngrok tunnels — authentication requirements, IP restrictions, authtoken management, and prohibited exposure patterns.

File Patterns

**/ngrok.yml**/ngrok*.yaml**/.env*

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Ngrok Security & Access Rules

## Rule
All ngrok tunnels exposing services beyond local testing MUST have authentication configured. Authtokens MUST never be committed to version control.

## Requirements

### Authentication
- Tunnels shared with team members MUST use OAuth or basic auth
- Tunnels accessible from the internet MUST have IP restrictions or OAuth
- Local-only development tunnels MAY skip authentication

### Authtoken Management
- NEVER commit authtokens to version control
- Store in environment variables or .env files (gitignored)
- Use separate authtokens per team member (not shared)
- Rotate authtokens if compromised

### Prohibited Exposures
| Service | Rule |
|---------|------|
| Databases (PostgreSQL, MySQL, Redis) | NEVER expose without VPN or IP restriction |
| Admin panels (phpMyAdmin, Adminer) | NEVER expose without OAuth |
| Debug endpoints (/debug, /pprof) | NEVER expose publicly |
| Internal APIs with no auth | NEVER expose without ngrok OAuth |

### Configuration File Security
```yaml
# GOOD: authtoken from environment variable
version: "3"
agent:
  authtoken: ${NGROK_AUTHTOKEN}

# BAD: hardcoded authtoken
version: "3"
agent:
  authtoken: 2abc123def456...
```

## Examples

### Good
```yaml
tunnels:
  staging:
    addr: 3000
    proto: http
    oauth:
      provider: google
      allow_domains: ["company.com"]
```

### Bad
```bash
# Exposing database with no protection
ngrok tcp 5432

# Exposing admin panel with no auth
ngrok http 8080  # phpMyAdmin running on 8080
```

## Enforcement
Add ngrok authtoken patterns to .gitignore and secret scanning.
Review tunnel configurations in team setup documentation.
Use ngrok's IP policy feature for production-adjacent tunnels.

FAQ

Discussion

Loading comments...

# Ngrok Security & Access Rules ## Rule All ngrok tunnels exposing services beyond local testing MUST have authentication configured. Authtokens MUST never be committed to version control. ## Requirements ### Authentication - Tunnels shared with team members MUST use OAuth or basic auth - Tunnels accessible from the internet MUST have IP restrictions or OAuth - Local-only development tunnels MAY skip authentication ### Authtoken Management - NEVER commit authtokens to version control - Store in environment variables or .env files (gitignored) - Use separate authtokens per team member (not shared) - Rotate authtokens if compromised ### Prohibited Exposures | Service | Rule | |---------|------| | Databases (PostgreSQL, MySQL, Redis) | NEVER expose without VPN or IP restriction | | Admin panels (phpMyAdmin, Adminer) | NEVER expose without OAuth | | Debug endpoints (/debug, /pprof) | NEVER expose publicly | | Internal APIs with no auth | NEVER expose without ngrok OAuth | ### Configuration File Security ```yaml # GOOD: authtoken from environment variable version: "3" agent: authtoken: ${NGROK_AUTHTOKEN} # BAD: hardcoded authtoken version: "3" agent: authtoken: 2abc123def456... ``` ## Examples ### Good ```yaml tunnels: staging: addr: 3000 proto: http oauth: provider: google allow_domains: ["company.com"] ``` ### Bad ```bash # Exposing database with no protection ngrok tcp 5432 # Exposing admin panel with no auth ngrok http 8080 # phpMyAdmin running on 8080 ``` ## Enforcement Add ngrok authtoken patterns to .gitignore and secret scanning. Review tunnel configurations in team setup documentation. Use ngrok's IP policy feature for production-adjacent tunnels.