Reverse Proxy

Running ApiMeld behind a reverse proxy is the recommended production setup. The proxy handles TLS termination and your domain; ApiMeld receives plain HTTP on port 8080.

Set PROXY_ENABLED=true so the app trusts the X-Forwarded-For and X-Forwarded-Proto headers the proxy sends. Without this, the app doesn't know it's being accessed over HTTPS and will set the refresh token cookie without the Secure flag.

Nginx Proxy Manager

1. Create a new Proxy Host
2. Domain Names: your domain (e.g. tasks.example.com)
3. Scheme: http, Forward Hostname/IP: Docker host IP or container name, Port: 8080
4. Enable Force SSL and HTTP/2 Support
5. Under the SSL tab: select your Let's Encrypt certificate (or request one)
6. Under Advanced, add HSTS if desired:

   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Set PROXY_ENABLED=true in your container environment.

Traefik

# docker-compose labels
labels:
  - "traefik.enable=true"
  - "traefik.http.routers.apimeld.rule=Host(`tasks.example.com`)"
  - "traefik.http.routers.apimeld.entrypoints=websecure"
  - "traefik.http.routers.apimeld.tls.certresolver=letsencrypt"
  - "traefik.http.services.apimeld.loadbalancer.server.port=8080"

Set PROXY_ENABLED=true in your container environment.

Cloudflare Tunnel

Cloudflare Tunnel works without opening any inbound ports on your network.

1. Install cloudflared on your host
2. Create a tunnel and point it to http://localhost:8080 (or the container's internal address)
3. Assign your domain in the Cloudflare dashboard

Set PROXY_ENABLED=true in your container environment. Cloudflare sets X-Forwarded-Proto: https automatically.

Cloudflare Access

You can protect ApiMeld with Cloudflare Access (email OTP, Google, GitHub login) as an additional authentication layer in front of the app. This is independent of ApiMeld's own auth — useful for restricting who can even reach the login page.

Security headers

ApiMeld sets the following security headers on every response regardless of proxy mode:

• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• X-XSS-Protection: 0
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Strict-Transport-Security (HSTS) is not set by the app in proxy mode — set it on the proxy instead (see Nginx Proxy Manager example above), since the app may be serving plain HTTP on the internal network leg.