The README gives the impression that the WebUI is only available on localhost. However, by default the server is listening on the "unspecified" address per https://nodejs.org/api/net.html#net_server_listen_port_host_backlog_callback. This may lead to users unintentionally exposing the WebUI on an untrusted network. I was able to patch this in my local install with server.listen(port, "localhost") in app.js.
Alternatively, perhaps the README could be more explicit about the listener behavior, or offer a configuration option to choose the IP?
The README gives the impression that the WebUI is only available on localhost. However, by default the server is listening on the "unspecified" address per https://nodejs.org/api/net.html#net_server_listen_port_host_backlog_callback. This may lead to users unintentionally exposing the WebUI on an untrusted network. I was able to patch this in my local install with
server.listen(port, "localhost")
in app.js.Alternatively, perhaps the README could be more explicit about the listener behavior, or offer a configuration option to choose the IP?