I agree the title should be different, for more than one reason:

* It is not "insecure" to run an application on an interface unless the application mandates it shouldn't. It depends on the situation and there is no definite "should-be" situation anyone can claim here.

* It is not "Dancer" the picks the port. The development server start-up is sent to Plack's development server (at least in more recent Dancer2 versions), and *that* is what decides those defaults.

* The development server is not supposed to be your full production server and you shouldn't be expecting it to have the behavior of a full on secure production application. It's meant to run something so you could play with it.

If the idea is "any development server should automatically always bind to my localhost" - whether I agree with it or not - should be directed to the authors of the development server - Plack.

If the idea is "I wish Dancer's defaults when running the development server would including binding to localhost", we can definitely discuss it. (I don't feel strongly about this, so I would enjoy hearing what other people think.) Perhaps such a discussion would lead to scaffolding profiles and having a more secure one instead of changing the default. Still, my fear would be that people would assume the development server does the right thing for a production server and use it as such. I've seen it happen before in other languages and other frameworks, even in Perl (and unfortunately with Dancer as well).

An interesting example is Python's SimpleHTTPServer, which, by default, even though it comes with *core* Python, still listens to 0.0.0.0. (I assume it might also work for IPv6, but haven't tried.) They literally allow running "python -m SimpleHTTPServer" to open a public web server on the spot. Different users want different things.

Should a development server need a deployment document? I don't know. I would guess it's meant to make development as easy as possible. Then, when you want to really deploy it, you use the Deployment guide, which suggests a proper set up with a proper server.

But that's just my $0.02.

On Wed, Mar 18, 2015 at 9:57 PM, Warren Young <wyml@etr-usa.com> wrote:

On Mar 18, 2015, at 12:11 PM, Gabor Szabo <gabor@szabgab.com> wrote:
>
> # Enable the following line to limit the server to only listen to localhost:
> # server: “127.0.0.1"

That would be perfectly fine with me.

It’s very different from what you originally asked for.

_______________________________________________
dancer-users mailing list
dancer-users@dancer.pm
http://lists.preshweb.co.uk/mailman/listinfo/dancer-users