Is a Quackshell URL public?

A Quackshell URL is reachable from the internet while the session is running, but it is signed and random. Treat it like a private preview link.

Is Quackshell for production endpoints?

No. Quackshell is intended for short-lived previews, not long-running public-facing endpoints or production hosting.

Security

Is exposing localhost safe?

Exposing localhost is safe only when the scope is clear. You are making a local server reachable through a browser URL, so you should treat that URL as access to whatever the server can return.

Quackshell's access model

Quackshell security comes from the signed, random URL. The URL is hard to guess, and the relay only routes valid signed session URLs. It is secure if you do not share the link with people who should not have access.

What happens if you share the URL?

Anyone who has the URL can attempt to open it while the session is alive. Do not post it in public chats, issue trackers, docs, or logs when the preview contains private work.

Do not expose these

Directories containing API keys, SSH keys, cloud credentials, or key files.
Admin panels, databases, or internal tools with real data.
Production secrets or local services that assume localhost-only trust.
Anything that should remain private if a link is forwarded.

Best practices

Serve the smallest directory or port needed for the preview.
Use generated sample data when possible.
Keep the link private.
Stop the Quackshell session after review.
Deploy real public services to production infrastructure instead.

Not production hosting

Quackshell is not intended for long-running public-facing endpoints. It is for temporary inspection of local work.