How to protect a tunnel with header authentication

Header auth checks that incoming requests carry an expected header name and value. Wrong or missing headers never reach your app.

Free plan: 1 header-auth policy. Pro / PAYG: 10.

Step 1 — Create the policy

Open Dashboard → Security → Header Auth.
Set header name (e.g. X-Preview-Token) and expected value.
Save and copy ngsrv_hdr_….

Step 2 — Attach to a tunnel

ngsrv http 4200 --policy ngsrv_hdr_client_preview

Share with your client:

URL: https://client-preview.tnl.ngsrv.com
Header: X-Preview-Token: <value from dashboard>

Browsers cannot set custom headers on normal navigation — clients use curl, Postman, or a small bookmarklet/proxy. For browser-only previews, combine with IP allowlist.

Webhook tip

Some providers let you add custom headers on outbound webhooks. Match the header auth policy so only signed traffic passes.

More: Header Auth docs