This document outlines security best practices when using the wnc.
By default, the CLI enforces strict TLS certificate verification:
# Secure connection (default)
wnc show ap --controllers "wnc.example.com:token"
# Skip verification only for development/testing
wnc show ap --controllers "wnc-dev.local:token" --insecureWarning
The --insecure flag disables TLS certificate verification and should only be used in trusted development environments.
-
Environment Variables: Store tokens in environment variables, never in scripts:
export WNC_CONTROLLERS="wnc.example.com:$(wnc generate token -u admin -p $PASSWORD)"
-
Token Rotation: Regenerate tokens regularly:
# Automated token refresh NEW_TOKEN=$(wnc generate token --username admin --password "$PASSWORD") export WNC_CONTROLLERS="wnc.example.com:$NEW_TOKEN"
-
Secure Storage: Use secure credential management:
# Example with macOS Keychain PASSWORD=$(security find-generic-password -a admin -s wnc-password -w) TOKEN=$(wnc generate token --username admin --password "$PASSWORD")
- Never log authentication tokens
- Don't store tokens in source code
- Avoid hardcoding credentials in scripts
- Don't share tokens between environments
- HTTPS traffic on port 443 (default)
- Outbound connections to controller management interfaces
- Consider VPN access for production environments
- Use dedicated service accounts with minimal privileges
- Implement read-only access where possible
- Monitor API access logs on controllers
- Regularly audit user permissions
# Development
export WNC_CONTROLLERS="wnc-dev.local:$DEV_TOKEN"
# Staging
export WNC_CONTROLLERS="wnc-staging.company.com:$STAGING_TOKEN"
# Production
export WNC_CONTROLLERS="wnc-prod.company.com:$PROD_TOKEN"- Monitor CLI usage patterns
- Log command execution for audit trails
- Set up alerts for authentication failures
- Track API call volumes
Back to: CLI Reference