Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

well, if you've exposed your dev app running on your laptop to the internet, any exploit in your app now works against your laptop endpoint instead of a production endpoint.

your laptop is a very different environment from production: there are probably different protections, firewalls, monitoring, etc in place. additionally, while your laptop (hopefully) doesn't have direct access to production databases, you probably have stuff lying around that you wouldn't want an attacker to get their hands on: sensitive work documents, your Chrome cookies just sitting in a sqlite database somewhere, source code for all the repositories you have checked out locally (not just the one app that has the exploit).

I don't agree that "using ngrok is not a security risk".



What's the problem with exposing port 3000 to let someone demo an app for an hour? By the time someone discovers the exposed address and port, and then figures out how to exploit the service that's running, I'll have already shut down the service.


true, maybe there's no problem for your use case. using something like ngrok is a gamble:

if the only thing on the line is low-value things like whatever is on your personal laptop (or even whatever is on a spartan vanilla ubuntu VM that your app is running in), then maybe it's not a very big gamble.

if the laptop has corporate secrets on it or it can be used as by an attacker to pivot into company internal systems through the VPN you're also connected to, however, that's a completely different story.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: