Docs · Reverse proxy

Reverse proxy and public exposure

SteadyPlan contains sensitive personal financial data. Safest default is LAN/VPN-only. Public exposure is an admin choice and should be configured carefully.

Recommended posture

  • Default: access SteadyPlan over home LAN or VPN only
  • If public: use HTTPS via a trusted reverse proxy or tunnel
  • Use strong passwords, and consider extra auth at the proxy/tunnel layer

This page is guidance, not an automated security audit.

HTTPS options

Typical approaches include a reverse proxy with HTTPS (for example Nginx Proxy Manager) or a tunnel/VPN approach (for example Cloudflare Tunnel or Tailscale). Use the approach you already trust and maintain.

Cookies and HTTPS

If SteadyPlan is served behind HTTPS, enable production cookie settings so your browser marks session cookies as secure:

APP_ENV=production

If you intentionally run SteadyPlan over plain HTTP on your LAN, keep production mode off so login works over http://.

Proxy headers

Only set TRUST_PROXY_HEADERS=1 when SteadyPlan is behind a trusted reverse proxy that sets X-Forwarded-For and X-Forwarded-Proto correctly. Do not enable it if you access the container directly without a proxy.

At the server layer, forwarded-header trust should also be widened deliberately via FORWARDED_ALLOW_IPS when your proxy/tunnel is not on localhost. Prefer an exact proxy IP/network if you can; treat * as an explicit advanced choice rather than the default.

What this does not do

SteadyPlan does not attempt to detect your exposure status or configure your proxy for you. Treat public exposure like any other self-hosted web app: pick a secure pattern and configure it intentionally.

Next: Privacy · Backups · Install