Port Forwarding
When an agent starts a web server, database, or any TCP service inside a sandbox, Caged automatically detects it and generates a public preview URL.How It Works
- Caged scans
/proc/net/tcpinside the sandbox every 2 seconds - New listening ports are detected and registered
- HTTP ports get public preview URLs with HTTPS
- The proxy routes requests from the preview URL to the sandbox
Viewing Ports
CLI
API
Dashboard
The sandbox detail page shows all detected ports with clickable preview links.Password Protection
Add a password to restrict access to a preview URL:Recognized HTTP Ports
These ports automatically get preview URLs:| Port | Common Use |
|---|---|
| 80 | HTTP |
| 3000 | React, Next.js, Express |
| 4200 | Angular |
| 5173 | Vite |
| 5000 | Flask |
| 8000 | Django, FastAPI |
| 8080 | General HTTP |
| 8888 | Jupyter |
tcp protocol without preview URLs.
Rate Limits
Preview URLs are rate-limited to 100 requests per minute per port. This protects against abuse and ensures fair resource usage.HTTPS
All preview URLs use HTTPS with a wildcard certificate for*.preview.caged.dev. No configuration needed.
Limitations
- Only TCP ports are detected (UDP is not scanned)
- Ports bound to
127.0.0.1inside the sandbox are still accessible via preview URLs (the proxy connects internally) - WebSocket connections are supported through the preview proxy
- Maximum of 20 exposed ports per sandbox