This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
next dev
default listens on all interfaces
#20137
Comments
This is happening because it's the default behavior of Node if a host isn't passed in: function startServer(
serverOptions: any,
port?: number,
hostname?: string
) {
// ...
srv.listen(port, hostname)
// ...
} In the startServer(
{ dir, dev: true, isNextDevCommand: true },
port,
args['--hostname']
) { /* ... */ @kcking & @rsms, I don't know enough about this yet. Is there a case in a development environment where it would be an issue to listen on all hosts? Conversely, are there common tools in development environments that may have caused node to make this the default? |
If the user is not careful to run a firewall they would unknowingly open up a door for the internet (i.e. anyone) to access their server. I'd strongly suggest that the default is to allow only connections from the local machine (i.e. listen on/bind to If you for some reason really want the default to be "allow connections from the internet", you probably want to make sure that the message presented to the user reflects that. For example |
I'm fine with changing the default host to 127.0.0.1 however one concern I have with making this change is that it'll break certain development setups that currently work meaning we might have to release this change in a major version. What are your thoughts on this? |
That's a good point and I think very valid concern. How about changing the log message to contain the actual hostname? It seems it does reflect the correct port already so chances are there is code already to customize that log message. Another thing you might want to consider is to output an additional message when binding to "any", something like "Open publicly to the internet." Some more thoughts on safety: In When you run serve-http accepting public connections, it screams a little at you:
|
This happens on Note that changing the default from For now Next.js MUST fix the message at least, when |
@timneutkens, perhaps you did not intend the merged PR to close this issue? It is my understanding the issue is about having an arguably insecure default and that has not been changed. Or do you feel like the decision to keep an insecure default for backwards compatibility has been made? Personally, I think the backwards compatibility concerns can be alleviated, but even if the decision will not be changed, the console output can be more explicit about the insecure setting. “started server on 0.0.0.0:3000, url://localhost:3000” between other console messages is quite a subtle way to communicate that source code for the project is fully available to possible adversaries on the network. |
This one auto-closed, we'll want to change the default eventually 👍 |
Another issue here is that the new child processes like "next-router-worker" are listening on all interfaces EVEN if you start next.js with |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Bug report
Describe the bug
next dev
command listens on all interfaces by defaultTo Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
next dev
sudo lsof -nP -iTCP:3000
to see all listeners for port 3000, outputsExpected behavior
Should only listen on localhost and output
Screenshots
I was first made aware of this via this tweet: https://twitter.com/rsms/status/1337845477283221504
System information
The text was updated successfully, but these errors were encountered: