Security: listen on localhost only by default?

[fvsch]

Currently, running servitsy without a custom --host argument will listen on :: (similar to 0.0.0.0), so that the server is reachable from other devices connected to the same local network.

This can be useful for development, when one wants to serve a folder of static files as a website that can be tested on a different device on the same network (e.g. a smartphone connected to the same wifi router).

But there are potential downsides like the “0.0.0.0 Day” family of vulnerabilities. It shouldn’t affect this package since it’s mostly about local servers that can write to disk or change some configuration or state from unauthenticated PUT or POST requests. Still, it might be better to err on the safe side and listen to localhost by default.

[fvsch]

An interesting option might be to implement an authorization token like Jupyter notebooks do: https://jupyter-server.readthedocs.io/en/stable/operators/security.html

Maybe only for requests on hosts that are not localhost by default?