[dancer-users] Public web server by default is insecure

Sawyer X xsawyerx at gmail.com
Fri Mar 20 16:55:07 GMT 2015


I agree the title should be different, for more than one reason:
* It is not "insecure" to run an application on an interface unless the
application mandates it shouldn't. It depends on the situation and there is
no definite "should-be" situation anyone can claim here.
* It is not "Dancer" the picks the port. The development server start-up is
sent to Plack's development server (at least in more recent Dancer2
versions), and *that* is what decides those defaults.
* The development server is not supposed to be your full production server
and you shouldn't be expecting it to have the behavior of a full on secure
production application. It's meant to run something so you could play with
it.

If the idea is "any development server should automatically always bind to
my localhost" - whether I agree with it or not - should be directed to the
authors of the development server - Plack.

If the idea is "I wish Dancer's defaults when running the development
server would including binding to localhost", we can definitely discuss it.
(I don't feel strongly about this, so I would enjoy hearing what other
people think.) Perhaps such a discussion would lead to scaffolding profiles
and having a more secure one instead of changing the default. Still, my
fear would be that people would assume the development server does the
right thing for a production server and use it as such. I've seen it happen
before in other languages and other frameworks, even in Perl (and
unfortunately with Dancer as well).

An interesting example is Python's SimpleHTTPServer, which, by default,
even though it comes with *core* Python, still listens to 0.0.0.0. (I
assume it might also work for IPv6, but haven't tried.) They literally
allow running "python -m SimpleHTTPServer" to open a public web server on
the spot. Different users want different things.

Should a development server need a deployment document? I don't know. I
would guess it's meant to make development as easy as possible. Then, when
you want to really deploy it, you use the Deployment guide, which suggests
a proper set up with a proper server.

But that's just my $0.02.


On Wed, Mar 18, 2015 at 9:57 PM, Warren Young <wyml at etr-usa.com> wrote:

> On Mar 18, 2015, at 12:11 PM, Gabor Szabo <gabor at szabgab.com> wrote:
> >
> > # Enable the following line to limit the server to only listen to
> localhost:
> > # server: “127.0.0.1"
>
> That would be perfectly fine with me.
>
> It’s very different from what you originally asked for.
> _______________________________________________
> dancer-users mailing list
> dancer-users at dancer.pm
> http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20150320/ed6d19d4/attachment.html>


More information about the dancer-users mailing list