Hi there, The default behaviour of http connector is listenning all interfaces. It is found in the description of "address" in attributes section. (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)
In terms of security default, it could be not best practice. In case of unexpected mistakes made by people, default behaviour of exposing the server to every possible network may pose a potential threat on security. CWE-1327: Binding to an Unrestricted IP Address: https://cwe.mitre.org/data/definitions/1327.html The issue should be a security enhancement. I recommend changing default behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and adding configuration option with default value OFF for 0.0.0.0 or : :. If there have been any previous discusstion about this, could you please tell me? Hope that I make it clear.
