Network security
Expose a remote Codevisor Server without exposing its credentials or transport.
Codevisor Server speaks plain HTTP and WebSocket. It does not terminate TLS. For access outside a trusted private network, put it behind a TLS-terminating reverse proxy or a private overlay network.
Recommended baseline
- Run with
--auth tokenwhenever the bind address is not loopback. - Restrict port
49361with a host firewall or private network policy. - Terminate HTTPS and WSS before traffic crosses an untrusted network.
- Keep the SQLite database and installation directory readable only by the service user.
- Configure explicit CORS origins only for browser clients you control.
- Store pairing tokens in a credential manager; the current API does not expose token revocation.
The hosted API reference intentionally does not execute requests. This prevents server addresses and
bearer tokens from being sent to www.codevisor.dev.