Security: Explicit Forbidden Exposure Paths

This page is an explicit deny-list for unsupported exposure patterns.

Hard Not Allowed

tailscale serve for ClawControl ports
binding ClawControl to 0.0.0.0
exposing ClawControl through reverse proxy to LAN/WAN
public tunnel exposure (ngrok, cloudflared, similar)
disabling local-only safeguards for public access behavior

Why

ClawControl is designed as a local-first admin console with single-user trust assumptions and local host enforcement. Unsupported exposure patterns break those assumptions.

Supported Remote Pattern

Only user-initiated SSH local forwarding (including Tailscale transport) is supported.

Last updated

2026-02-09

Remote Tunnel-only Workflow
Security: Local-only Enforcement
Operations: Loopback Policy Violations

Approvals typed confirm Tailscale ssh tunnel only

⌘I

Home

Product

Quickstart

Features

Integration

Security & Networking

Remote Access

Data

API Reference

Operations

Deployment

Developers

Forbidden exposure paths

Security: Explicit Forbidden Exposure Paths

Hard Not Allowed

Why

Supported Remote Pattern

Last updated

Home

Product

Quickstart

Features

Integration

Security & Networking

Remote Access

Data

API Reference

Operations

Deployment

Developers

​Security: Explicit Forbidden Exposure Paths

​Hard Not Allowed

​Why

​Supported Remote Pattern

​Last updated

​Related pages

Security: Explicit Forbidden Exposure Paths

Hard Not Allowed

Why

Supported Remote Pattern

Last updated

Related pages