Docs · Reverse proxy
Reverse proxy and public exposure
SteadyPlan contains sensitive personal financial data. Safest default is LAN/VPN-only. Public exposure is an admin choice and should be configured carefully.
Recommended posture
- Default: access SteadyPlan over home LAN or VPN only
- If public: use HTTPS via a trusted reverse proxy or tunnel
- Use strong passwords, and consider extra auth at the proxy/tunnel layer
This page is guidance, not an automated security audit.
HTTPS options
Typical approaches include a reverse proxy with HTTPS (for example Nginx Proxy Manager) or a tunnel/VPN approach (for example Cloudflare Tunnel or Tailscale). Use the approach you already trust and maintain.
Proxy headers
Only set TRUST_PROXY_HEADERS=1 when SteadyPlan is behind a trusted reverse proxy that sets X-Forwarded-For and X-Forwarded-Proto correctly. Do not enable it if you access the container directly without a proxy.
What this does not do
SteadyPlan does not attempt to detect your exposure status or configure your proxy for you. Treat public exposure like any other self-hosted web app: pick a secure pattern and configure it intentionally.