temporalio · KeithB-Temporal · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026
@@ -18,6 +18,11 @@ tags:
 There are many ways to self-host a [Temporal Service](/temporal-service).
 The right way for you depends entirely on your use case and where you plan to run it.
 
+:::warning Temporal Hosts Should Not Be Exposed to the Open Internet
+
+Temporal is a persistence layer and should be treated similarly to a database. Temporal services should run on hosts that are not accessible from the public internet, with network configurations that restrict access to trusted internal networks only.
+:::
+
 For step-by-step guides on deploying and configuring Temporal, refer to our [Infrastructure tutorials](https://learn.temporal.io/tutorials/infrastructure/).
 
 ### Minimum requirements

@@ -351,3 +351,13 @@ You can use a [Codec Server](/codec-server) with your custom Payload Codec to de
 However, ensure that you consider all security implications of [remote data encoding](/remote-data-encoding) before using a Codec Server.
 
 For details on how to set up a Codec Server, see [Codec Server setup](/production-deployment/data-encryption#codec-server-setup).
+
+## Configuration Options for Restricting and Securing Access  
+
+Temporal provides extensive configuration options to limit and control which callers can access your services and how those services behave in different environments. These options help you enforce stricter security boundaries in self-hosted deployments and tune behavior for production use cases. For more details on available settings and how to configure them, see the following references:
+
+- [Cluster & Server configuration](/references/configuration) — Static configuration settings for servers and services.  
+
+- [Dynamic configuration](/references/dynamic-configuration) — Runtime-updatable settings for tuning and behavior control.  
+
+- [Client environment configuration](/references/client-environment-configuration) — Environment variable settings for configuring Temporal clients.  
@@ -58,7 +58,7 @@ To enable Nexus in your deployment:
          httpAddress: $PUBLIC_URL:7243
    ```
 
-2. Enable Nexus through dynamic config, set the public callback URL, and set the allowed callback addresses.
+2a. Prior to version 1.30.X, you must enable Nexus through dynamic config, set the public callback URL, and set the allowed callback addresses.
-2a. Prior to version 1.30.X, you must enable Nexus through dynamic config, set the public callback URL, and set the allowed callback addresses.
+2a. **Prior to version 1.30.X**, you must enable Nexus through dynamic config, set the public callback URL, and set the allowed callback addresses.
-2a. Prior to version 1.30.X, you must enable Nexus through dynamic config, set the public callback URL, and set the allowed callback addresses.
+2a. **Prior to version 1.30.X**, you must enable Nexus through dynamic config, set the public callback URL, and set the allowed callback addresses.
 
    ```yaml
    system.enableNexus:
@@ -69,12 +69,18 @@ To enable Nexus in your deployment:
      # membership. The URL is a Go template that interpolates the `NamepaceName` and `NamespaceID` variables.
      - value: https://$PUBLIC_URL:7243/namespaces/{{.NamespaceName}}/nexus/callback
    component.callbacks.allowedAddresses:
-     # This list is a security mechanism for limiting which callback URLs are accepted by the server.
-     # Attackers may leverage the callback mechanism to force the server to call arbitrary URLs.
-     # The config below is only recommended for development, tune this to your requirements.
+     # Limits which callback URLs are accepted by the server.
+     # Wildcard patterns (*) and insecure (HTTP) callbacks are intended for development only.
+     # For production, restrict allowed hosts and set AllowInsecure to false
+     # whenever HTTPS/TLS is supported. Allowing HTTP increases MITM and data exposure risk.
      - value:
-         - Pattern: "*"
-           AllowInsecure: true
+         - Pattern: "*" # Update to restrict allowed callers, e.g. "https://$EXAMPLE_URL\\.example\\.com(:1234)?/.*$"
+           AllowInsecure: true # In production, set to false when HTTPS/TLS is supported. 
+   ```
+
+2b. Since version 1.30.X, Nexus is enabled by default, the only configuration needed is to use the SystemCallbackURL.
+   ```yaml
+   component.nexusoperations.useSystemCallbackURL: true
-   component.nexusoperations.useSystemCallbackURL: true
+   component.nexusoperations.useSystemCallbackURL:
+     -value: true
-   component.nexusoperations.useSystemCallbackURL: true
+   component.nexusoperations.useSystemCallbackURL:
+     -value: true
    ```
 
 ## Build and use Nexus Services

@@ -239,3 +239,15 @@ The Temporal server reports the server version and the version of the SDK that i
 | Dynamic configuration key           | Type    | Description                                                                                                                       | Default value |
 | ----------------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------- |
 | `frontend.enableServerVersionCheck` | Boolean | Enables the Temporal server to report version information about the current server and SDK. Allowed values are `true` or `false`. | `true`        |
+
+### Nexus settings
+
+Settings related to the management of Nexus
+
+| Dynamic configuration key                              | Type    | Description                                                                                                                                    | Default value                                                           |
+| ------------------------------------------------------ | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
+| `system.enableNexus`                                   | Boolean | Enables Nexus Features                                                                                                                         | `true` (since 1.27)                                                     |
+| `component.nexusoperations.callback.endpoint.template` | String  | Defines the URL template used to construct Nexus callback endpoints that Nexus uses to deliver asynchronous completion results.                | `https://$PUBLIC_URL:7243/namespaces/{{.NamespaceName}}/nexus/callback` |
+| `component.callbacks.allowedAddresses`                 | Object  | Defines the security allow-list of callback URL patterns that the server will accept; used to restrict what callback endpoints can be invoked. | (See below sub-properties)                                              |
+| `component.callbacks.allowedAddresses.Pattern`         | String  | Defines which callback URLs are permitted to be called by the server. (the patterns is a wildcard)                                             | `*`                                                                     |
+| `component.callbacks.allowedAddresses.AllowInsecure`   | Boolean | Enables whether insecure (non-TLS/HTTP) URLs matching the pattern are permitted; should be false in production when HTTPS is supported.        | `true`                                                                  |