fix(security): default standalone servers to loopback bind (#13184)

* fix(security): default standalone servers to loopback bind (#4) Change canvas host and telegram webhook default bind from 0.0.0.0 (all interfaces) to 127.0.0.1 (loopback only) to prevent unintended network exposure when no explicit host is configured. * fix: restore telegram webhook host override while keeping loopback defaults (openclaw#13184) thanks @davidrudduck * style: format telegram docs after rebase (openclaw#13184) thanks @davidrudduck --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-05-08 15:08:25 +00:00 · 2026-02-14 01:39:56 +10:00
parent a17f74306d
commit 5643a93479
10 changed files with 85 additions and 5 deletions
--- a/src/canvas-host/server.ts
+++ b/src/canvas-host/server.ts
@@ -449,7 +449,7 @@ export async function startCanvasHost(opts: CanvasHostServerOpts): Promise<Canva
    }));
  const ownsHandler = opts.ownsHandler ?? opts.handler === undefined;

-  const bindHost = opts.listenHost?.trim() || "0.0.0.0";
+  const bindHost = opts.listenHost?.trim() || "127.0.0.1";
  const server: Server = http.createServer((req, res) => {
    if (String(req.headers.upgrade ?? "").toLowerCase() === "websocket") {
      return;