On Thu, 16 Sep 2021 14:05:52 GMT, Jaikiran Pai <j...@openjdk.org> wrote:
>> Julia Boes has updated the pull request incrementally with one additional >> commit since the last revision: >> >> correct path handling > > src/jdk.httpserver/share/classes/module-info.java line 55: > >> 53: * [-o none|info|verbose] [-h to show >> options] >> 54: * Options: >> 55: * -b, --bind-address - Address to bind to. Default: 0.0.0.0 (all >> interfaces). > > I understand that the purpose of this simple server is for development and > testing only. But even then, for security considerations, would it be more > appropriate to default the bind address to a loopback address instead of > making it accessible potentially to entire public? In the past, application > servers which used to bind to all interfaces by default have now moved to > using the loopback address as a default to avoid such accidental exposing of > the server. We did consider defaulting to the loopback address, but this would limit the usefulness of the server too much in the default configuration as it can only be accessed from localhost. The goal of this JEP is an out-of-the-box web server with easy setup, so in this case we favour usability. The purpose of a web server is to make things accessible on the web so it is assumed that the developer is familiar with the terms this comes with. The concern of accidental exposure is alleviated by the informative output printed at start up, e.g. ```~ $ java-sb -m jdk.httpserver Serving /current/directory and subdirectories on 0.0.0.0:8000 http://123.456.7.891:8000/ ... Considering your point though, we can spell out all interfaces and describe the URL more clearly: ```~ $ java-sb -m jdk.httpserver Serving /current/directory and subdirectories on 0.0.0.0 (all interfaces) port 8000 Localhost URL: http://123.456.7.891:8000/ ... ------------- PR: https://git.openjdk.java.net/jdk/pull/5505
