RFR: 8245095: Implementation of JEP 408: Simple Web Server [v3]
jpai at openjdk.java.net
Thu Sep 23 05:53:00 UTC 2021
On Wed, 22 Sep 2021 15:20:21 GMT, Julia Boes <jboes at openjdk.org> wrote:
> > Thanks for sharing your experience on this, it's appreciated. 0.0.0.0 is common default for Apache httpd , Ngnix , the Python web server . This being said, I want to make sure we're taking the right decision here so let me seek some further advice on this.
> >  http://httpd.apache.org/docs/2.4/bind.html
> >  https://docs.nginx.com/nginx/admin-guide/web-server/web-server/
> >  https://github.com/python/cpython/blob/3.4/Lib/http/server.py
> Further review concluded that a default binding to 0.0.0.0 creates too a high level of exposure, particularly for a low-threshold utility like this server. Binding to an unrestricted address is a known way for attackers to launch a Denial-of-Service attack, classified by MITRE as CWE-1327 . We therefore update the default binding to the loopback address and amend the help output with information on how to bind to 0.0.0.0
Thank you Julia for considering this input and coordinating the change.
More information about the core-libs-dev