ΒΆ
Headscale Security Hardening
Expose Headscale API only via TLS and trusted ingress.
Protect OIDC integration and token secrets.
Enforce node key expiration and periodic re-authentication.
Audit namespace, route, and ACL changes.