Security at the edge — on every plan
Most tunnel tools treat security like a premium add-on. OAuth gates, IP allowlists, and WAF rules sit behind enterprise tiers.
ngsrv does the opposite: every plan gets real edge policies (IP, geo, header auth, time windows, rate limits, WAF). You pay for scale — how many policies, tunnels, bandwidth — not for the privilege of locking a tunnel down. mTLS is Pay as you go and Enterprise only.
What you get
| Plan | Policies per type | mTLS |
|---|---|---|
| Free | 1 each | — |
| Pro | 10 each | — |
| Pay as you go | 10 each | ✓ |
Policy types: IP allowlist/blocklist, geo restrictions, header authentication, time-based access, rate limiting, and WAF.
Create a policy once in Dashboard → Security. Reference it by ID in ngsrv.yml or --policy. Reusing the same ID does not burn extra quota.
How it works
- Create the policy in the dashboard (pick the type that matches your threat model).
- Copy the policy ID (e.g.
ngsrv_ips_ABC123). - Attach it to a tunnel:
ngsrv http 3000 --policy ngsrv_ips_ABC123
Or in config:
port: 3000
subdomain: api
security_policies:
- ngsrv_ips_ABC123
- ngsrv_rate_webhooks
Policies enforce at the edge before traffic hits your laptop. Your app stays dumb; the tunnel carries the guardrails.
Why this matters
- Webhooks: Stripe and GitHub hit a public URL. IP allowlist + header auth stops random scanners without touching your handler.
- Client previews: Header auth or IP allowlist so only your client reaches the demo.
- APIs in dev: Rate limits catch runaway scripts before they flatten your local DB.
Deep dives
- How to protect a tunnel with IP allowlist
- How to protect a tunnel with geo restrictions
- How to protect a tunnel with header auth
- How to protect a tunnel with time-based access
- How to protect a tunnel with rate limiting
- How to protect a tunnel with WAF rules
- How to protect a tunnel with mTLS (Pay as you go+)
Full reference: docs security index.