Cortask

Self-Hosting

Cortask can run on a remote server so you can access it from any device with a browser.

Server Configuration

The gateway listens on 127.0.0.1:3777 by default. To make it accessible over the network, configure the host and port in ~/.cortask/config.yaml:

server:
  port: 3777
  host: 0.0.0.0

You can also set these via environment variables:

CORTASK_PORT=3777
CORTASK_HOST=0.0.0.0

Environment variables take precedence over the config file. The gateway will automatically try up to 10 consecutive ports if the configured port is already in use.

Running as a Service

Use a process manager to keep Cortask running in the background.

Using systemd (Linux):

[Unit]
Description=Cortask Gateway
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/cortask serve
Restart=on-failure
RestartSec=5
Environment=CORTASK_HOST=0.0.0.0

[Install]
WantedBy=multi-user.target

Using PM2 (cross-platform):

pm2 start "cortask serve" --name cortask
pm2 save
pm2 startup

Security Considerations

Cortask does not include built-in authentication. When exposing it beyond localhost, you should put it behind a reverse proxy with authentication and TLS.

CORS policy: By default, only requests from localhost and 127.0.0.1 are accepted. To allow your domain, set:

CORTASK_CORS_ORIGIN=https://cortask.example.com

Reverse proxy example (nginx):

server {
    listen 443 ssl;
    server_name cortask.example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        proxy_pass http://127.0.0.1:3777;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

The Upgrade and Connection headers are required for WebSocket connections to work through the proxy.

Additional recommendations:

  • Use HTTP Basic Auth or an SSO proxy (e.g. OAuth2 Proxy, Authelia) in front of Cortask.
  • Keep your LLM API keys secure -- they are stored encrypted on disk using AES-256-GCM, but the gateway serves them to the agent without additional authentication.
  • Restrict which users can access the bash tool and file write operations, as these grant full access to the server filesystem within workspace boundaries.

Data Directory

All persistent data (config, credentials, databases, logs) is stored in ~/.cortask/ by default. Override with:

CORTASK_DATA_DIR=/opt/cortask/data