The README gives the impression that the WebUI is only available on localhost. However, by default the server is listening on the "unspecified" address per https://nodejs.org/api/net.html#net_server_listen_port_host_backlog_callback. This may lead to users unintentionally exposing the WebUI on an untrusted network. I was able to patch this in my local install with server.listen(port, "localhost") in app.js.
Alternatively, perhaps the README could be more explicit about the listener behavior, or offer a configuration option to choose the IP?
ChiChou
commented
6 years ago
The README gives the impression that the WebUI is only available on localhost. However, by default the server is listening on the "unspecified" address per https://nodejs.org/api/net.html#net_server_listen_port_host_backlog_callback. This may lead to users unintentionally exposing the WebUI on an untrusted network. I was able to patch this in my local install with
server.listen(port, "localhost")in app.js.Alternatively, perhaps the README could be more explicit about the listener behavior, or offer a configuration option to choose the IP?