Cockpit makes Linux discoverable. But it's really a Linux session in a web browser, accessing the native system APIs and tools directly from javascript. Does that sound scary? How can we be sure that accessing Linux from a web browser is secure? What about the web server stack? What about authentication and privilege escalation? We'll talk about how Cockpit deals with security, authentication, privilege escalation, and browser lock down. I'll show you various techniques to tailor Cockpit's security options to your situation, like using bastion hosts.