Skip to content

💡Use token file instead of CLI argument in cloudflared service install for improved security #1539

New issue
New issue
Open
Open
💡Use token file instead of CLI argument in cloudflared service install for improved security#1539
Labels
Priority: NormalMinor issue impacting one or more usersType: Feature RequestA big idea that would be split into smaller pieces
@RichardThiessen

Description

@RichardThiessen
RichardThiessen
opened on Oct 13, 2025
  • Current behavior: Token passed as --token CLI argument, visible in process list
  • Proposed: Use --token-file by default, write token to /etc/cloudflared/token with mode 600
  • Benefit: Prevents token exposure via ps, /proc, service file, system logs

I was very surprised when running ps on my system after install to see my tunnel token visible. The default setup allows any other process on the machine (not containerized or otherwise isolated) to steal the tunnel token.

file implementing the functionality:
https://github.com/cloudflare/cloudflared/blob/master/cmd/cloudflared/linux_service.go

Metadata

Metadata

Assignees

No one assigned

    Labels

    Priority: NormalMinor issue impacting one or more usersType: Feature RequestA big idea that would be split into smaller pieces

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions