[dancer-users] Public web server by default is insecure

Warren Young wyml at etr-usa.com
Mon Mar 16 23:07:39 GMT 2015

On Mar 14, 2015, at 11:10 PM, Gabor Szabo <gabor at szabgab.com> wrote:
> This can be good for a production server

I don’t think so.  In production, Dancer should be behind some more performant server than HTTP::Server::Simple::PSGI.  Starman, nginx, Apache, etc…

In the PSGI case (e.g. Starman) Dancer won’t be listening at all, as I understand it.

In the reverse proxy case (e.g. nginx, Apache) Dancer should be listening only on localhost in production, on some nonstandard port.

> it is quite insecure as a development practice.

The default is good.  It means you can run a Dancer app straight out of the box and access it remotely, without going through the Deployment guide to select something better first.

If you care about security, you should be developing on a private LAN, not out on a public web host.

> What do you think?

I wouldn’t mind if the default environments/production.yml file had 

   server: ""

in it, if only to force people to think about such issues.

That’s as far as I’d go.  We shouldn’t be throwing up roadblocks in the development path.  One of the reasons I stuck with Dancer through the early days when I was still uncertain about it was that it didn’t make anything harder than it had to be.

Development should be easy.  Production can be hard, because that’s DevOps’ problem. :)

More information about the dancer-users mailing list