LAN / localhost

Working with local addresses safely (opt-in + allow-list).

Docs updated: 2025-12-17

Why LAN/localhost can be sensitive

Local addresses (like localhost or 192.168.x.x) may expose admin dashboards or private services. Only allow-list them if you trust the page that is sending RTO commands.

Allow-list LAN hosts

The allow-list is host-based. If you run a local dev server on a port, you may want to include the port (example: localhost:3000).

// Example: allow-list localhost (including port)
<script src="../RTO_helpers/RTO_domainList.js"></script>
<script>
(async function(){
  // location.host includes port (example: "localhost:3000")
  const hostWithPort = location.host;
  const ok = await RTOAllowlist.add(hostWithPort);
  console.log("allowed?", ok, hostWithPort);
})();
</script>

Tip

If you want to allow-list without a port, use location.hostname instead of location.host.

Practical tips

Keep your local allow-list small.
Use the status banner (RTO_status_ui.js) while developing.
Never auto-allow silently. Always require a user click.

Recipes

← Compatibility

Recipes →

LAN / localhost

Why LAN/localhost can be sensitive

Allow-list LAN hosts

Practical tips

Next