{"slug":"best-practices-to-secure-your-tailnet","title":"Best practices to secure your tailnet","tags":["tailscale"],"agent_summary":"Last validated: Jan 20, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Best practices to secure your tailnet\r\n\r\nLast validated: Jan 20, 2026\r\n\r\nTailscale has many security features you can use to increase your network security. This page provides best practices for using these features to harden your Tailscale deployment.\r\n\r\nRefer to an [overview of Tailscale's security](https://tailscale.com/security), including how Tailscale builds in security by design, and internal controls we use to help keep your information safe.\r\n\r\n## [Baseline practices](https://tailscale.com/docs/reference/best-practices/security\\#baseline-practices)\r\n\r\n_Baseline practices are widely applicable and high-value steps to improve security._\r\n\r\n### [Upgrade Tailscale clients in a timely manner](https://tailscale.com/docs/reference/best-practices/security\\#upgrade-tailscale-clients-in-a-timely-manner)\r\n\r\n**Upgrade Tailscale clients regularly, in a timely manner.** Tailscale frequently introduces new features and [patches existing versions](https://tailscale.com/docs/reference/tailscale-client-versions), including security patches.\r\n\r\n[Check for updates](https://tailscale.com/docs/features/client/update#check-for-updates) to find the version of the Tailscale client installed on every device in your tailnet and use [auto-updates](https://tailscale.com/docs/features/client/update#auto-updates) to keep Tailscale clients updated automatically.\r\n\r\n### [Subscribe to security bulletins](https://tailscale.com/docs/reference/best-practices/security\\#subscribe-to-security-bulletins)\r\n\r\n**Subscribe to [Tailscale's security bulletins](https://tailscale.com/security-bulletins)** (by using [RSS](https://tailscale.com/security-bulletins/index.xml)). Tailscale publishes security bulletins to disclose security issues affecting Tailscale. If you're directly affected by a security issue, and we have your contact information, we will contact you.\r\n\r\n### [Set a contact for security issue emails](https://tailscale.com/docs/reference/best-practices/security\\#set-a-contact-for-security-issue-emails)\r\n\r\n**Set a [contact for security issue emails](https://tailscale.com/docs/reference/contact-preferences#setting-the-security-issues-email)**. If you're directly affected by a security issue, and we have your contact information, we will contact you. If no email is set for a security contact, Tailscale uses the default behavior, which is to send security issue emails to the tailnet owner email address.\r\n\r\nIf you want multiple users to be notified, consider using an email group. For example, use `security@example.com`, instead of `alice@example.com`, for security issue notifications.\r\n\r\nIf you are using GitHub as your identity provider, we have no contact email information unless you add an email address\r\nto your [contact preferences](https://tailscale.com/docs/reference/contact-preferences).\r\n\r\n### [Enable MFA in your identity provider](https://tailscale.com/docs/reference/best-practices/security\\#enable-mfa-in-your-identity-provider)\r\n\r\n**Enable multifactor authentication in your identity provider for authenticating to Tailscale, ideally using a hardware token**. Tailscale relies on your existing [identity provider](https://tailscale.com/docs/integrations/identity) to authenticate users. Any authentication settings from your identity provider are automatically used by Tailscale, including MFA and context-aware access.\r\n\r\nFollow your [identity provider's documentation](https://tailscale.com/docs/multifactor-auth) for how to enable multifactor authentication.\r\n\r\n### [Define access control policies](https://tailscale.com/docs/reference/best-practices/security\\#define-access-control-policies)\r\n\r\n**Use access controls to define the connections you want to allow in your network, based on job function and following the principle of least privilege.** Tailscale's [access control policies](https://tailscale.com/docs/features/access-control) let you define what users, groups, IP addresses, CIDRs, hosts, and tags can connect to each other in your network. Using access control policies, you can define [role-based access controls](https://tailscale.com/blog/rbac-like-it-was-meant-to-be) for users accessing services in your network in terms of user identities, rather than in terms of IP addresses. Follow the [principle of least privilege](https://tailscale.com/learn/principle-of-least-privilege) to ensure users are only granted access to the intended resources.\r\n\r\nRestrict access to users based on job function and what they need to access. Refer to [grant examples](https://tailscale.com/docs/reference/examples/grants) for common scenarios.\r\n\r\n### [Use groups in access control policies](https://tailscale.com/docs/reference/best-practices/security\\#use-groups-in-access-control-policies)\r\n\r\n**Use groups to manage your users.** Using groups lets identities be controlled based on job function. If someone leaves an organization or changes roles, you can adjust the group membership rather than update all of their access control policies.\r\n\r\nDefine [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups) in access control policies for sets of users, and use these as part of access rules. Enable [user & group provisioning](https://tailscale.com/docs/features/user-group-provisioning) to sync users and groups from your identity provider, to automatically add or suspend users, and use synced groups in access control policies.\r\n\r\n### [Use tags in access control policies](https://tailscale.com/docs/reference/best-practices/security\\#use-tags-in-access-control-policies)\r\n\r\n**Use tags to manage devices.** Using tags lets you define access to devices based on purpose, rather than based on owner. If someone leaves an organization or changes roles, common devices they have set up, like a server, will not need to be reconfigured.\r\n\r\nDefine [tags](https://tailscale.com/docs/features/tags) in access control policies, and use these as part of access rules. Use an [auth key with an tag](https://tailscale.com/docs/features/tags#best-practices) so that a device is automatically tagged when it is authenticated.\r\n\r\n### [Use check mode for Tailscale SSH](https://tailscale.com/docs/reference/best-practices/security\\#use-check-mode-for-tailscale-ssh)\r\n\r\n**Verify high-risk Tailscale SSH connections with check mode.** Check mode requires certain connections, or connections as certain users (such as `root`), to re-authenticate before connecting. This lets the user access these high-risk applications for the next 12 hours or for a specified check period before re-authenticating again. Check mode is only available for [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) connections.\r\n\r\nIn an access control policy's `ssh` rule, [set the `action` field to `check`](https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh-with-check-mode) to configure check mode for your high-risk Tailscale SSH connections.\r\n\r\n### [Use session recording for Tailscale SSH](https://tailscale.com/docs/reference/best-practices/security\\#use-session-recording-for-tailscale-ssh)\r\n\r\n**Set up session recording to log the contents of Tailscale SSH sessions.** Session recording for Tailscale SSH streams these recordings to special recorder nodes in your tailnet, and Tailscale never has access to these recordings. You can deploy the recorder nodes as Docker containers, and configure recordings to be stored on the Docker host's disk or in Amazon S3 (and other S3-compatible object storage services). Session recording is only available for [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) connections.\r\n\r\nFollow [these instructions](https://tailscale.com/docs/features/tailscale-ssh/tailscale-ssh-session-recording) to deploy the recorder nodes and update your access control policies to require session recording.\r\n\r\n### [Review configuration audit logs](https://tailscale.com/docs/reference/best-practices/security\\#review-configuration-audit-logs)\r\n\r\n**Review who did what, and when, in your tailnet.** [Configuration audit logs](https://tailscale.com/docs/features/logging/audit-logging) record actions that modify a tailnet's configuration, including the type of action, the actor, the target resource, and the time.\r\n\r\nRegularly review the logs, and if needed, use the Tailscale API to [export the logs](https://tailscale.com/docs/features/logging/audit-logging#accessing-configuration-audit-logs-via-api) for long term storage.\r\n\r\n### [Get notified about events in your tailnet](https://tailscale.com/docs/reference/best-practices/security\\#get-notified-about-events-in-your-tailnet)\r\n\r\n**Use webhooks to subscribe to events.** [Webhooks](https://tailscale.com/docs/features/webhooks) let you subscribe to certain events on your Tailscale network and process the event notifications through an integration or app. For example, you can subscribe to events like adding a node or updating your [tailnet policy file](https://tailscale.com/docs/reference/syntax/policy-file), and then receive the event notifications in a Slack channel or other app.\r\n\r\nSubscribe to tailnet management events to be notified of changes to your tailnet policy file, new nodes, new users, and more.\r\n\r\n### [Offboard users when they leave](https://tailscale.com/docs/reference/best-practices/security\\#offboard-users-when-they-leave)\r\n\r\n**Suspend or delete users as part of your offboarding process**. Offboarding Tailscale users ensures that they no longer have access to resources including machine authorization, API keys, and auth keys.\r\n\r\nAutomatically or manually suspend users when they leave. This process can vary depending on your identity provider and whether or not you use user & group provisioning (SCIM).\r\n\r\nFor more information, refer to [Offboarding users](https://tailscale.com/docs/features/sharing/how-to/offboard).\r\n\r\n## [Advanced practices](https://tailscale.com/docs/reference/best-practices/security\\#advanced-practices)\r\n\r\n_Advanced practices may not be widely applicable. They may also include features which require more configuration or a more advanced knowledge of security and networking._\r\n\r\n### [Use tests](https://tailscale.com/docs/reference/best-practices/security\\#use-tests)\r\n\r\n**Write tests to ensure access controls don't change unexpectedly**. Access control policy tests let you ensure that your access controls are as expected, so that after making a change, an important permission isn't accidentally revoked, or a critical system accidentally exposed.\r\n\r\nDefine [access control policy tests](https://tailscale.com/docs/reference/syntax/policy-file#tests) in access control policies. These are automatically validated when an access control policy is updated.\r\n\r\n### [Assign Admin roles](https://tailscale.com/docs/reference/best-practices/security\\#assign-admin-roles)\r\n\r\n**Assign user roles for managing Tailscale as appropriate, based on job function and for separation of duties.** Tailscale provides multiple user roles that restrict who can modify your tailnet's configurations. These allow for separation of duties between admins who can modify users and devices, such as IT administrators, and those who can modify network configurations, such as the networking team.\r\n\r\n[Assign the roles](https://tailscale.com/docs/features/sharing/how-to/change-role) of [Admin, Network admin, IT admin, Billing admin, and Auditor](https://tailscale.com/docs/reference/user-roles) in the [Users](https://login.tailscale.com/admin/users) page of the admin console.\r\n\r\n### [Enable device approval](https://tailscale.com/docs/reference/best-practices/security\\#enable-device-approval)\r\n\r\n**Require devices to be approved before they join your network**. You can require that new devices be manually reviewed and approved by an Admin before they can join the network. This can be used to ensure only trusted devices, such as workplace-managed laptops and phones, can access a network.\r\n\r\n[Enable device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval) from the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the admin console.\r\n\r\n### [Customize node key expiry](https://tailscale.com/docs/reference/best-practices/security\\#customize-node-key-expiry)\r\n\r\n**Require users to rotate keys by re-authenticating their devices to the network regularly**. Devices connect to your tailnet using a public [node key](https://tailscale.com/blog/tailscale-key-management#node-keys) which expires automatically after a period of time, forcing keys to rotate. By default, Tailscale requires devices to re-authenticate every 180 days, but some organizations may have a need for stricter controls.\r\n\r\n[Modify key expiry](https://tailscale.com/docs/features/access-control/key-expiry) from the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the admin console.\r\n\r\n### [Protect your network boundary](https://tailscale.com/docs/reference/best-practices/security\\#protect-your-network-boundary)\r\n\r\n**Restrict access to your private network, for example, using a firewall**. Tailscale lets you easily connect your devices no matter their local area network, and ensures that traffic between your devices is end-to-end encrypted. However, Tailscale does not protect your devices from any other traffic.\r\n\r\nSet up a firewall for your network or [for your device](https://tailscale.com/docs/how-to/secure-ubuntu-server-with-ufw). Refer to [Using Tailscale with your firewall](https://tailscale.com/docs/integrations/firewalls) for additional configuration information.\r\n\r\n### [Enable HTTPS](https://tailscale.com/docs/reference/best-practices/security\\#enable-https)\r\n\r\n**Obtain public TLS certificates for internal web tools hosted on your network**. Connections between Tailscale nodes are already secured with end-to-end [encryption](https://tailscale.com/docs/concepts/tailscale-encryption). However, browsers are not aware of that because they rely on verifying the TLS certificate of a domain. By getting a TLS certificate from a public CA for your internal web tool, you avoid confusing your users with browser security warnings.\r\n\r\n[Configure HTTPS](https://tailscale.com/docs/how-to/set-up-https-certificates) for your tailnet from the [DNS](https://login.tailscale.com/admin/dns) page of the admin console. Note that certificates are added to the Certificate Transparency log, so machine names should not contain private information.\r\n\r\n### [Use On-Demand Access](https://tailscale.com/docs/reference/best-practices/security\\#use-on-demand-access)\r\n\r\n**Leverage just-in-time access requests to limit access to network resources**. This lets access be granted and revoked on a just-in-time basis, and can be used to manage temporary access to resources that are managed by Tailscale. Tailscale integrates with a [variety](https://tailscale.com/docs/integrations/jit-access) of on-demand access products.\r\n\r\n### [Remove unused OAuth clients](https://tailscale.com/docs/reference/best-practices/security\\#remove-unused-oauth-clients)\r\n\r\n**Regularly remove OAuth clients that are no longer needed for your network**. This prevents leaked OAuth clients being used for Tailscale API access to your network.\r\n\r\nFind existing OAuth clients from the [Trust credentials](https://login.tailscale.com/admin/settings/trust-credentials) page of the admin console, and remove those you no longer need.\r\n\r\n### [Remove unused API and auth keys](https://tailscale.com/docs/reference/best-practices/security\\#remove-unused-api-and-auth-keys)\r\n\r\n**Regularly remove API and auth keys that are no longer needed for your network**. This prevents leaked keys being used to add unauthorized users or devices to your network.\r\n\r\nFind existing API and auth keys from the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console, and remove those you no longer need. If you are using an auth key to only authenticate a single device, consider using a [one-time auth key](https://tailscale.com/docs/features/access-control/auth-keys).\r\n\r\n### [Prevent DNS rebinding attacks](https://tailscale.com/docs/reference/best-practices/security\\#prevent-dns-rebinding-attacks)\r\n\r\n**Ensure a Host header is present for HTTP services**. Web services available in a tailnet over HTTP (not HTTPS) may be susceptible to [DNS rebinding](https://en.wikipedia.org/wiki/DNS_rebinding) attacks, where a Tailscale node visiting a malicious web page can be triggered to run a client-side script and attack other nodes in the tailnet. HTTP services can detect DNS rebinding attacks by validating the Host header of incoming HTTP requests is allowlisted.\r\n\r\nSet a Host header field in HTTP request messages sent to a HTTP service running in your tailnet. For example, in the HTTP request message, set:\r\n\r\n```markup\r\nGET /resource HTTP/1.1\r\nHost: www.example.com\r\n```\r\n\r\nThis could also be a MagicDNS fully qualified domain name, for example:\r\n\r\n```markup\r\nHost: webserver.example2.ts.net\r\n```\r\n\r\n### [Manage access control policy updates with GitOps](https://tailscale.com/docs/reference/best-practices/security\\#manage-access-control-policy-updates-with-gitops)\r\n\r\n**Use GitOps to keep the source of truth for your [tailnet policy file](https://tailscale.com/docs/reference/syntax/policy-file) in code, outside of the Tailscale admin console, and use features in a code repository tool to manage and version access control policies.** Use GitOps for Tailscale with [GitHub Actions](https://tailscale.com/docs/gitops) or [GitLab CI](https://tailscale.com/docs/integrations/gitlab/gitops) to manage your tailnet policy file in a code repository, and use protected branches and required reviews to manage changes. Using GitOps also enables versioning and an audit trail of changes to your tailnet policy file.\r\n\r\nFor example, you can require approvals by specific individuals, or enforce tests pass successfully before merging a change.\r\n\r\n### [Set up Tailscale with infrastructure as code](https://tailscale.com/docs/reference/best-practices/security\\#set-up-tailscale-with-infrastructure-as-code)\r\n\r\n**Use infrastructure as code tools to deploy Tailscale infrastructure programmatically.** By using an infrastructure as code tool for deployment, you can deploy (or redeploy) a consistent or prior version of a configuration in case of an issue.\r\n\r\nSet up the [Terraform](https://tailscale.com/docs/integrations/terraform-provider) or [Pulumi](https://tailscale.com/docs/integrations/pulumi-provider) Tailscale providers to interact with the Tailscale API. Supported features include the ability to define your [tailnet policy file](https://tailscale.com/docs/reference/syntax/policy-file), set DNS settings, generate [auth keys](https://tailscale.com/docs/features/access-control/auth-keys), and manage device properties. Restrict access to the Tailscale API to your infrastructure as code tools, so that all configuration changes are centrally managed.\r\n\r\n### [Use device postures](https://tailscale.com/docs/reference/best-practices/security\\#use-device-postures)\r\n\r\n**Use [device postures](https://tailscale.com/docs/features/device-posture) to measure how secure or trustworthy a device is.** Restrict access based on device attributes that signal security issues. For example, you can require specific Tailscale client versions, specific operating systems, or disk encryption. The [Enterprise plan](https://tailscale.com/pricing) can also restrict access with geolocation. Useful for remote work security, Bring Your Own Device (BYOD) policies, and [Zero Trust](https://tailscale.com/docs/concepts/zero-trust) enforcement.\r\n\r\n### [Use Network flow logs](https://tailscale.com/docs/reference/best-practices/security\\#use-network-flow-logs)\r\n\r\n**Use [Network flow logs](https://tailscale.com/docs/features/logging/network-flow-logs) to determine how nodes are connecting on your Tailscale network.** When Network flow logs are enabled and clients are running a sufficient client version, and when not using [`tailscaled --no-logs-no-support`](https://tailscale.com/docs/features/logging#opting-out-of-client-logging), nodes report their network activity to the Tailscale logs service. These logs can be accessed using the Tailscale API.\r\n\r\nRegularly review the logs, and if needed, export the logs for long term storage.\r\n\r\n### [Restrict multi-user systems](https://tailscale.com/docs/reference/best-practices/security\\#restrict-multi-user-systems)\r\n\r\nUsers that share a device with multiple user accounts can potentially allow other users to access resources on the tailnet when they switch to another account without logging out. This applies to Linux, Windows, and macOS.\r\n\r\nUse of Tailscale is not recommended on devices used by multiple people, unless shared tailnet access between them is acceptable to your security policies.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Best practices to secure your tailnet</h1>\n<p>Last validated: Jan 20, 2026</p>\n<p>Tailscale has many security features you can use to increase your network security. This page provides best practices for using these features to harden your Tailscale deployment.</p>\n<p>Refer to an <a href=\"https://tailscale.com/security\">overview of Tailscale's security</a>, including how Tailscale builds in security by design, and internal controls we use to help keep your information safe.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/best-practices/security#baseline-practices\">Baseline practices</a></h2>\n<p><em>Baseline practices are widely applicable and high-value steps to improve security.</em></p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#upgrade-tailscale-clients-in-a-timely-manner\">Upgrade Tailscale clients in a timely manner</a></h3>\n<p><strong>Upgrade Tailscale clients regularly, in a timely manner.</strong> Tailscale frequently introduces new features and <a href=\"https://tailscale.com/docs/reference/tailscale-client-versions\">patches existing versions</a>, including security patches.</p>\n<p><a href=\"https://tailscale.com/docs/features/client/update#check-for-updates\">Check for updates</a> to find the version of the Tailscale client installed on every device in your tailnet and use <a href=\"https://tailscale.com/docs/features/client/update#auto-updates\">auto-updates</a> to keep Tailscale clients updated automatically.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#subscribe-to-security-bulletins\">Subscribe to security bulletins</a></h3>\n<p><strong>Subscribe to <a href=\"https://tailscale.com/security-bulletins\">Tailscale's security bulletins</a></strong> (by using <a href=\"https://tailscale.com/security-bulletins/index.xml\">RSS</a>). Tailscale publishes security bulletins to disclose security issues affecting Tailscale. If you're directly affected by a security issue, and we have your contact information, we will contact you.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#set-a-contact-for-security-issue-emails\">Set a contact for security issue emails</a></h3>\n<p><strong>Set a <a href=\"https://tailscale.com/docs/reference/contact-preferences#setting-the-security-issues-email\">contact for security issue emails</a></strong>. If you're directly affected by a security issue, and we have your contact information, we will contact you. If no email is set for a security contact, Tailscale uses the default behavior, which is to send security issue emails to the tailnet owner email address.</p>\n<p>If you want multiple users to be notified, consider using an email group. For example, use <code>security@example.com</code>, instead of <code>alice@example.com</code>, for security issue notifications.</p>\n<p>If you are using GitHub as your identity provider, we have no contact email information unless you add an email address\r\nto your <a href=\"https://tailscale.com/docs/reference/contact-preferences\">contact preferences</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#enable-mfa-in-your-identity-provider\">Enable MFA in your identity provider</a></h3>\n<p><strong>Enable multifactor authentication in your identity provider for authenticating to Tailscale, ideally using a hardware token</strong>. Tailscale relies on your existing <a href=\"https://tailscale.com/docs/integrations/identity\">identity provider</a> to authenticate users. Any authentication settings from your identity provider are automatically used by Tailscale, including MFA and context-aware access.</p>\n<p>Follow your <a href=\"https://tailscale.com/docs/multifactor-auth\">identity provider's documentation</a> for how to enable multifactor authentication.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#define-access-control-policies\">Define access control policies</a></h3>\n<p><strong>Use access controls to define the connections you want to allow in your network, based on job function and following the principle of least privilege.</strong> Tailscale's <a href=\"https://tailscale.com/docs/features/access-control\">access control policies</a> let you define what users, groups, IP addresses, CIDRs, hosts, and tags can connect to each other in your network. Using access control policies, you can define <a href=\"https://tailscale.com/blog/rbac-like-it-was-meant-to-be\">role-based access controls</a> for users accessing services in your network in terms of user identities, rather than in terms of IP addresses. Follow the <a href=\"https://tailscale.com/learn/principle-of-least-privilege\">principle of least privilege</a> to ensure users are only granted access to the intended resources.</p>\n<p>Restrict access to users based on job function and what they need to access. Refer to <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a> for common scenarios.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#use-groups-in-access-control-policies\">Use groups in access control policies</a></h3>\n<p><strong>Use groups to manage your users.</strong> Using groups lets identities be controlled based on job function. If someone leaves an organization or changes roles, you can adjust the group membership rather than update all of their access control policies.</p>\n<p>Define <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a> in access control policies for sets of users, and use these as part of access rules. Enable <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">user &#x26; group provisioning</a> to sync users and groups from your identity provider, to automatically add or suspend users, and use synced groups in access control policies.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#use-tags-in-access-control-policies\">Use tags in access control policies</a></h3>\n<p><strong>Use tags to manage devices.</strong> Using tags lets you define access to devices based on purpose, rather than based on owner. If someone leaves an organization or changes roles, common devices they have set up, like a server, will not need to be reconfigured.</p>\n<p>Define <a href=\"https://tailscale.com/docs/features/tags\">tags</a> in access control policies, and use these as part of access rules. Use an <a href=\"https://tailscale.com/docs/features/tags#best-practices\">auth key with an tag</a> so that a device is automatically tagged when it is authenticated.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#use-check-mode-for-tailscale-ssh\">Use check mode for Tailscale SSH</a></h3>\n<p><strong>Verify high-risk Tailscale SSH connections with check mode.</strong> Check mode requires certain connections, or connections as certain users (such as <code>root</code>), to re-authenticate before connecting. This lets the user access these high-risk applications for the next 12 hours or for a specified check period before re-authenticating again. Check mode is only available for <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> connections.</p>\n<p>In an access control policy's <code>ssh</code> rule, <a href=\"https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh-with-check-mode\">set the <code>action</code> field to <code>check</code></a> to configure check mode for your high-risk Tailscale SSH connections.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#use-session-recording-for-tailscale-ssh\">Use session recording for Tailscale SSH</a></h3>\n<p><strong>Set up session recording to log the contents of Tailscale SSH sessions.</strong> Session recording for Tailscale SSH streams these recordings to special recorder nodes in your tailnet, and Tailscale never has access to these recordings. You can deploy the recorder nodes as Docker containers, and configure recordings to be stored on the Docker host's disk or in Amazon S3 (and other S3-compatible object storage services). Session recording is only available for <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> connections.</p>\n<p>Follow <a href=\"https://tailscale.com/docs/features/tailscale-ssh/tailscale-ssh-session-recording\">these instructions</a> to deploy the recorder nodes and update your access control policies to require session recording.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#review-configuration-audit-logs\">Review configuration audit logs</a></h3>\n<p><strong>Review who did what, and when, in your tailnet.</strong> <a href=\"https://tailscale.com/docs/features/logging/audit-logging\">Configuration audit logs</a> record actions that modify a tailnet's configuration, including the type of action, the actor, the target resource, and the time.</p>\n<p>Regularly review the logs, and if needed, use the Tailscale API to <a href=\"https://tailscale.com/docs/features/logging/audit-logging#accessing-configuration-audit-logs-via-api\">export the logs</a> for long term storage.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#get-notified-about-events-in-your-tailnet\">Get notified about events in your tailnet</a></h3>\n<p><strong>Use webhooks to subscribe to events.</strong> <a href=\"https://tailscale.com/docs/features/webhooks\">Webhooks</a> let you subscribe to certain events on your Tailscale network and process the event notifications through an integration or app. For example, you can subscribe to events like adding a node or updating your <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">tailnet policy file</a>, and then receive the event notifications in a Slack channel or other app.</p>\n<p>Subscribe to tailnet management events to be notified of changes to your tailnet policy file, new nodes, new users, and more.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#offboard-users-when-they-leave\">Offboard users when they leave</a></h3>\n<p><strong>Suspend or delete users as part of your offboarding process</strong>. Offboarding Tailscale users ensures that they no longer have access to resources including machine authorization, API keys, and auth keys.</p>\n<p>Automatically or manually suspend users when they leave. This process can vary depending on your identity provider and whether or not you use user &#x26; group provisioning (SCIM).</p>\n<p>For more information, refer to <a href=\"https://tailscale.com/docs/features/sharing/how-to/offboard\">Offboarding users</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/best-practices/security#advanced-practices\">Advanced practices</a></h2>\n<p><em>Advanced practices may not be widely applicable. They may also include features which require more configuration or a more advanced knowledge of security and networking.</em></p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#use-tests\">Use tests</a></h3>\n<p><strong>Write tests to ensure access controls don't change unexpectedly</strong>. Access control policy tests let you ensure that your access controls are as expected, so that after making a change, an important permission isn't accidentally revoked, or a critical system accidentally exposed.</p>\n<p>Define <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">access control policy tests</a> in access control policies. These are automatically validated when an access control policy is updated.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#assign-admin-roles\">Assign Admin roles</a></h3>\n<p><strong>Assign user roles for managing Tailscale as appropriate, based on job function and for separation of duties.</strong> Tailscale provides multiple user roles that restrict who can modify your tailnet's configurations. These allow for separation of duties between admins who can modify users and devices, such as IT administrators, and those who can modify network configurations, such as the networking team.</p>\n<p><a href=\"https://tailscale.com/docs/features/sharing/how-to/change-role\">Assign the roles</a> of <a href=\"https://tailscale.com/docs/reference/user-roles\">Admin, Network admin, IT admin, Billing admin, and Auditor</a> in the <a href=\"https://login.tailscale.com/admin/users\">Users</a> page of the admin console.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#enable-device-approval\">Enable device approval</a></h3>\n<p><strong>Require devices to be approved before they join your network</strong>. You can require that new devices be manually reviewed and approved by an Admin before they can join the network. This can be used to ensure only trusted devices, such as workplace-managed laptops and phones, can access a network.</p>\n<p><a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">Enable device approval</a> from the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the admin console.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#customize-node-key-expiry\">Customize node key expiry</a></h3>\n<p><strong>Require users to rotate keys by re-authenticating their devices to the network regularly</strong>. Devices connect to your tailnet using a public <a href=\"https://tailscale.com/blog/tailscale-key-management#node-keys\">node key</a> which expires automatically after a period of time, forcing keys to rotate. By default, Tailscale requires devices to re-authenticate every 180 days, but some organizations may have a need for stricter controls.</p>\n<p><a href=\"https://tailscale.com/docs/features/access-control/key-expiry\">Modify key expiry</a> from the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the admin console.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#protect-your-network-boundary\">Protect your network boundary</a></h3>\n<p><strong>Restrict access to your private network, for example, using a firewall</strong>. Tailscale lets you easily connect your devices no matter their local area network, and ensures that traffic between your devices is end-to-end encrypted. However, Tailscale does not protect your devices from any other traffic.</p>\n<p>Set up a firewall for your network or <a href=\"https://tailscale.com/docs/how-to/secure-ubuntu-server-with-ufw\">for your device</a>. Refer to <a href=\"https://tailscale.com/docs/integrations/firewalls\">Using Tailscale with your firewall</a> for additional configuration information.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#enable-https\">Enable HTTPS</a></h3>\n<p><strong>Obtain public TLS certificates for internal web tools hosted on your network</strong>. Connections between Tailscale nodes are already secured with end-to-end <a href=\"https://tailscale.com/docs/concepts/tailscale-encryption\">encryption</a>. However, browsers are not aware of that because they rely on verifying the TLS certificate of a domain. By getting a TLS certificate from a public CA for your internal web tool, you avoid confusing your users with browser security warnings.</p>\n<p><a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates\">Configure HTTPS</a> for your tailnet from the <a href=\"https://login.tailscale.com/admin/dns\">DNS</a> page of the admin console. Note that certificates are added to the Certificate Transparency log, so machine names should not contain private information.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#use-on-demand-access\">Use On-Demand Access</a></h3>\n<p><strong>Leverage just-in-time access requests to limit access to network resources</strong>. This lets access be granted and revoked on a just-in-time basis, and can be used to manage temporary access to resources that are managed by Tailscale. Tailscale integrates with a <a href=\"https://tailscale.com/docs/integrations/jit-access\">variety</a> of on-demand access products.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#remove-unused-oauth-clients\">Remove unused OAuth clients</a></h3>\n<p><strong>Regularly remove OAuth clients that are no longer needed for your network</strong>. This prevents leaked OAuth clients being used for Tailscale API access to your network.</p>\n<p>Find existing OAuth clients from the <a href=\"https://login.tailscale.com/admin/settings/trust-credentials\">Trust credentials</a> page of the admin console, and remove those you no longer need.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#remove-unused-api-and-auth-keys\">Remove unused API and auth keys</a></h3>\n<p><strong>Regularly remove API and auth keys that are no longer needed for your network</strong>. This prevents leaked keys being used to add unauthorized users or devices to your network.</p>\n<p>Find existing API and auth keys from the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console, and remove those you no longer need. If you are using an auth key to only authenticate a single device, consider using a <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">one-time auth key</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#prevent-dns-rebinding-attacks\">Prevent DNS rebinding attacks</a></h3>\n<p><strong>Ensure a Host header is present for HTTP services</strong>. Web services available in a tailnet over HTTP (not HTTPS) may be susceptible to <a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\">DNS rebinding</a> attacks, where a Tailscale node visiting a malicious web page can be triggered to run a client-side script and attack other nodes in the tailnet. HTTP services can detect DNS rebinding attacks by validating the Host header of incoming HTTP requests is allowlisted.</p>\n<p>Set a Host header field in HTTP request messages sent to a HTTP service running in your tailnet. For example, in the HTTP request message, set:</p>\n<pre><code class=\"language-markup\">GET /resource HTTP/1.1\r\nHost: www.example.com\n</code></pre>\n<p>This could also be a MagicDNS fully qualified domain name, for example:</p>\n<pre><code class=\"language-markup\">Host: webserver.example2.ts.net\n</code></pre>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#manage-access-control-policy-updates-with-gitops\">Manage access control policy updates with GitOps</a></h3>\n<p><strong>Use GitOps to keep the source of truth for your <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">tailnet policy file</a> in code, outside of the Tailscale admin console, and use features in a code repository tool to manage and version access control policies.</strong> Use GitOps for Tailscale with <a href=\"https://tailscale.com/docs/gitops\">GitHub Actions</a> or <a href=\"https://tailscale.com/docs/integrations/gitlab/gitops\">GitLab CI</a> to manage your tailnet policy file in a code repository, and use protected branches and required reviews to manage changes. Using GitOps also enables versioning and an audit trail of changes to your tailnet policy file.</p>\n<p>For example, you can require approvals by specific individuals, or enforce tests pass successfully before merging a change.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#set-up-tailscale-with-infrastructure-as-code\">Set up Tailscale with infrastructure as code</a></h3>\n<p><strong>Use infrastructure as code tools to deploy Tailscale infrastructure programmatically.</strong> By using an infrastructure as code tool for deployment, you can deploy (or redeploy) a consistent or prior version of a configuration in case of an issue.</p>\n<p>Set up the <a href=\"https://tailscale.com/docs/integrations/terraform-provider\">Terraform</a> or <a href=\"https://tailscale.com/docs/integrations/pulumi-provider\">Pulumi</a> Tailscale providers to interact with the Tailscale API. Supported features include the ability to define your <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">tailnet policy file</a>, set DNS settings, generate <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth keys</a>, and manage device properties. Restrict access to the Tailscale API to your infrastructure as code tools, so that all configuration changes are centrally managed.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#use-device-postures\">Use device postures</a></h3>\n<p><strong>Use <a href=\"https://tailscale.com/docs/features/device-posture\">device postures</a> to measure how secure or trustworthy a device is.</strong> Restrict access based on device attributes that signal security issues. For example, you can require specific Tailscale client versions, specific operating systems, or disk encryption. The <a href=\"https://tailscale.com/pricing\">Enterprise plan</a> can also restrict access with geolocation. Useful for remote work security, Bring Your Own Device (BYOD) policies, and <a href=\"https://tailscale.com/docs/concepts/zero-trust\">Zero Trust</a> enforcement.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#use-network-flow-logs\">Use Network flow logs</a></h3>\n<p><strong>Use <a href=\"https://tailscale.com/docs/features/logging/network-flow-logs\">Network flow logs</a> to determine how nodes are connecting on your Tailscale network.</strong> When Network flow logs are enabled and clients are running a sufficient client version, and when not using <a href=\"https://tailscale.com/docs/features/logging#opting-out-of-client-logging\"><code>tailscaled --no-logs-no-support</code></a>, nodes report their network activity to the Tailscale logs service. These logs can be accessed using the Tailscale API.</p>\n<p>Regularly review the logs, and if needed, export the logs for long term storage.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/best-practices/security#restrict-multi-user-systems\">Restrict multi-user systems</a></h3>\n<p>Users that share a device with multiple user accounts can potentially allow other users to access resources on the tailnet when they switch to another account without logging out. This applies to Linux, Windows, and macOS.</p>\n<p>Use of Tailscale is not recommended on devices used by multiple people, unless shared tailnet access between them is acceptable to your security policies.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}