Security

⚠️

CrewHub ships with no authentication by default. It is designed for local/trusted network use. Public or internet-facing deployment requires the hardening steps below.

Default Security Posture

API listens on 0.0.0.0:8090 — accessible from your local network
No authentication required
No HTTPS by default
Designed for developer workstations and trusted LANs

Binding to Localhost Only

The safest option for local-only use:

HOST=127.0.0.1 ./scripts/start.sh

This makes the API accessible only from your own machine.

Firewall Rules

If you need LAN access but want to restrict public internet access:

# macOS — block external access to port 8090
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /path/to/uvicorn

# Linux (ufw)
ufw allow from 192.168.1.0/24 to any port 8090
ufw deny 8090

HTTPS with Reverse Proxy

For remote access, put CrewHub behind a reverse proxy with TLS:

# nginx example
server {
  listen 443 ssl;
  server_name crewhub.yourdomain.com;

  ssl_certificate /path/to/cert.pem;
  ssl_certificate_key /path/to/key.pem;

  location / {
    proxy_pass http://localhost:5181;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
  }

  location /api/ {
    proxy_pass http://localhost:8090;
    proxy_set_header X-Forwarded-For $remote_addr;
  }

  location /events {
    proxy_pass http://localhost:8090/events;
    proxy_set_header Connection '';
    proxy_http_version 1.1;
    chunked_transfer_encoding on;
  }
}

Data Sensitivity

CrewHub stores:

Session metadata (IDs, status, timing) — in ~/.crewhub/crewhub.db
Room and task configuration — same database
No message content is stored — chat history is read live from agent log files
Connection tokens — stored in the database (protect your DB file)

ℹ️

See SECURITY.md in the repository for the full security policy and vulnerability reporting process.

API Reference