On Wed, 22 Sep 2021 15:20:21 GMT, Julia Boes <jb...@openjdk.org> wrote:
> > Thanks for sharing your experience on this, it's appreciated. 0.0.0.0 is > > common default for Apache httpd [1], Ngnix [2], the Python web server [3]. > > This being said, I want to make sure we're taking the right decision here > > so let me seek some further advice on this. > > [1] http://httpd.apache.org/docs/2.4/bind.html > > [2] https://docs.nginx.com/nginx/admin-guide/web-server/web-server/ > > [3] https://github.com/python/cpython/blob/3.4/Lib/http/server.py > > Further review concluded that a default binding to 0.0.0.0 creates too a high > level of exposure, particularly for a low-threshold utility like this server. > Binding to an unrestricted address is a known way for attackers to launch a > Denial-of-Service attack, classified by MITRE as CWE-1327 [1]. We therefore > update the default binding to the loopback address and amend the help output > with information on how to bind to 0.0.0.0 Thank you Julia for considering this input and coordinating the change. ------------- PR: https://git.openjdk.java.net/jdk/pull/5505
