On Mar 14, 2015, at 11:10 PM, Gabor Szabo <gabor@szabgab.com> wrote:
This can be good for a production server
I don’t think so. In production, Dancer should be behind some more performant server than HTTP::Server::Simple::PSGI. Starman, nginx, Apache, etc… In the PSGI case (e.g. Starman) Dancer won’t be listening at all, as I understand it. In the reverse proxy case (e.g. nginx, Apache) Dancer should be listening only on localhost in production, on some nonstandard port.
it is quite insecure as a development practice.
The default is good. It means you can run a Dancer app straight out of the box and access it remotely, without going through the Deployment guide to select something better first. If you care about security, you should be developing on a private LAN, not out on a public web host.
What do you think?
I wouldn’t mind if the default environments/production.yml file had server: "127.0.0.1" in it, if only to force people to think about such issues. That’s as far as I’d go. We shouldn’t be throwing up roadblocks in the development path. One of the reasons I stuck with Dancer through the early days when I was still uncertain about it was that it didn’t make anything harder than it had to be. Development should be easy. Production can be hard, because that’s DevOps’ problem. :)