Description
- This is a bug
- This is a modification request
Code
I can craft minimal reproducer if needed, but hopefully it's not needed.
Please paste the results of webpack-cli info here, and mention other relevant information
System:
OS: Linux 5.13 undefined
CPU: (8) x64 AMD Ryzen 5 2400G with Radeon Vega Graphics
Memory: 382.79 MB / 29.33 GB
Binaries:
Node: 16.0.0 - ~/.nvm/versions/node/v16.0.0/bin/node
Yarn: 1.22.5 - ~/.yarn/bin/yarn
npm: 7.10.0 - ~/.nvm/versions/node/v16.0.0/bin/npm
Browsers:
Firefox: 89.0.2
Packages:
fork-ts-checker-webpack-plugin: >= 6.3.1 => 6.3.2
html-webpack-harddisk-plugin: >= 2.0.0 => 2.0.0
html-webpack-plugin: >= 5.3.2 => 5.3.2
monaco-editor-webpack-plugin: >= 4.1.1 => 4.1.1
webpack: >= 5.11.0 => 5.49.0
webpack-cli: >= 4.2.0 => 4.7.2
webpack-dev-server: >= 4.0.0-rc.0 => 4.0.0-rc.0
Expected Behavior
webpack-dev-server listens on localhost addresses
Actual Behavior
webpack-dev-server listens on all addresses
For Bugs; How can we reproduce the behavior?
I suspect it's caused by #2869 and it's intentional. In my case (external local IP) it means that when I start webpack-dev-server — it's exposed to the internet on well-known port 8080 and in a minute or so there are bot scans.
While it produces Invalid Host header in browser, curl -H 'Host: localhost' ojab.ru:8080 shows directory listing.
It's unexpected and dangerous, for example right now security issues in webpack-dev-server deps are not counted as a real security issues because there is an expectation that it's accessible only by developer themself, but this is opt-out behavior now.
Developer tools shouldn't be accessible by anyone via network by default.