katon icon indicating copy to clipboard operation
katon copied to clipboard

Published 20 hours ago verified publisher icon typicode

Security issue: binds to 0.0.0.0 by default rather than 127.0.0.1

Open dbkaplun opened this issue 10 years ago • 2 comments

Should bind to 127.0.0.1 or ::1 rather than 0.0.0.0 or ::, so that the resultant katon page is only accessible to the machine it's running on. This affects ports 31000 and 30900 which katon serves from.

dbkaplun avatar Mar 02 '15 01:03 dbkaplun

Hi Dan,

Wasn't aware of this so thanks for raising this issue :)

I've tried binding to 127.0.0.1, but since katon supports xip.io you can still access your dev servers using http://app.192.168.x.y.xip.io from other devices on your LAN.

I'm not sure then if 127.0.0.1 would make a difference?

typicode avatar Mar 04 '15 17:03 typicode

@typicode depending on how xip.io works, you can instead bind to an address in require('os').networkInterfaces() to allow other devices in the LAN to connect to it.

dbkaplun avatar Mar 04 '15 18:03 dbkaplun