Listen on localhost instead of 0.0.0.0 by default

theunraveler / taskwarrior-web

A web interface for the Taskwarrior todo application. Because being a neckbeard is only fun sometimes.

http://theunraveler.github.com/taskwarrior-web

MIT License

532 stars 60 forks source link

Listen on localhost instead of 0.0.0.0 by default #122

Open Mebus opened 5 years ago

Mebus commented 5 years ago

Hallo,

it seems that task web listens by default on "0.0.0.0". This is a security issue, because no warnings on this are displayed by default. Please make task-web listen on 127.0.0.1 only by default. Why does the whole network need to be able to access my tasks?

Mebus

heiderich commented 5 years ago

The default "0.0.0.0" seems to be the default of vegas, which is used by taskwarrior-web. It seems to be hardcoded there (and "0.0.0.0" seems to be the default only on non-windows systems):

https://github.com/quirkey/vegas/blob/2aee90e0be1971115dd2b765540036b39d367dca/lib/vegas/runner.rb#L22