Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Do not bind by default to 0.0.0.0 #3368

Closed
2 tasks done
prabirshrestha opened this issue Jan 21, 2024 · 2 comments · Fixed by #4054
Closed
2 tasks done

Feature: Do not bind by default to 0.0.0.0 #3368

prabirshrestha opened this issue Jan 21, 2024 · 2 comments · Fixed by #4054
Labels
feature New feature or request topic:security This is related to security

Comments

@prabirshrestha
Copy link

Is your feature request related to a problem?

Do not bind by default to 0.0.0.0. While it might make it easy to get started with surrealdb this listens to all interfaces and can be a huge security nightmare for folks not careful with and accidentally expose the db.

Describe the solution

Bind to other host by default such as 127.0.0.1

Alternative methods

Use --bind=127.0.0.1

SurrealDB version

1.1.1

Contact Details

No response

Is there an existing issue for this?

  • I have searched the existing issues

Code of Conduct

  • I agree to follow this project's Code of Conduct
@prabirshrestha prabirshrestha added feature New feature or request triage This issue is new labels Jan 21, 2024
@gguillemas gguillemas added topic:security This is related to security and removed triage This issue is new labels Jan 21, 2024
@gguillemas gguillemas self-assigned this Jan 21, 2024
@gguillemas
Copy link
Contributor

Hi @prabirshrestha, thank you for raising this issue.

I agree on principle that the default interface to bind with should be the loopback interface and that binding to all interfaces should be explicitly requested by the user. Unfortunately, making this change in 1.X would break backward compatibility and we will have to wait for 2.X to implement it by default.

Some other authentication improvements have been likewise gated behind a feature flag to prevent breaking backward compatibility and will be enabled by default in 2.X. I will leave this issue open to ensure that we don't lose track of it and we change the default behavior as soon as we are able to push a breaking change.

Thanks again for taking the time to report this!

@gguillemas gguillemas removed their assignment Jan 22, 2024
@prabirshrestha
Copy link
Author

It will also be great if the default port number is not 8000. This is very common port for running local servers that one is building.

@gguillemas gguillemas mentioned this issue May 17, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request topic:security This is related to security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bind to loopback address by default surrealdb/surrealdb
2 participants
@prabirshrestha @gguillemas