devserver binds to network as well as localhost

[talkingtab]

Instead of opening a port on the localhost only, create-react-app now binds to the network as well. On a new instance when I run yarn start I get:

You can now view foo in the browser.
Local: http://localhost:3000/
On Your Network: http://xxx.138.90.222:3000/

I use ufw to close ports, but this change from previous versions seems like it could potentially cause problems.

• Is there a way to turn this off?
• Is this really a good default?

[gaearon]

Could you clarify what kind of problems? People typically want to be able to test the app on mobile devices.

cc @Timer

[Timer]

Instead of opening a port on the localhost only, create-react-app now binds to the network as well.

We've always bound to the entire network (sorry!); we just never made this clear until 1.0.0.

Is there a way to turn this off?

Yes. Create an env file (.env) which contains the following:

HOST=localhost

This will make the dev server only bind to localhost, which may be IPv6 or IPv4. You can be more specific and specify 127.0.0.1 or ::1 if you'd like.

Is this really a good default?

@gaearon and I have talked and agree that this is a good default, which is why we make it as apparent as possible and show you a network address we're listening on.

[Timer]

Could you clarify what kind of problems?

Binding to 0.0.0.0 also binds to your public IP address, not only your LAN address. Which means (in theory) I could connect to your CRA instance from across the world while you develop.

This is what the HOST check prevents, we try to only permit your LAN address but not your public IP address, which is what setting DANGEROUSLY_DISABLE_HOST_CHECK (or not using proxy) would allow.

It appears we autodetected his public address instead of his lan address, which could be problematic.

@talkingtab do you happen to be on linux?

[talkingtab]

I am concerned that people will be allowing access to a product that is under development without understanding what they are doing. Maybe it is harmless, but I would suggest a better default is:
-Bind only localhost
-Change the message to say: "To change the port or address see xxxx"

[talkingtab]

yes I am. And yes that is my public network address

[Timer]

@talkingtab a web application's source code is always public, so there's no sense in "protecting" it; when you use the proxy option (and potential security concerns arise), we lock down what hosts can access the product to strictly what you see.

In your case, it seems we grabbed your public ip address (most likely because you do not have a private address, do you?).

We will need to address this security hole, because I do not believe that this is a sensible default. We should only permit private (same network) IP addresses.

In the meantime, please create an .env file with HOST=localhost in it which will protect your development.

[talkingtab]

I did add the .env and that works fine. I am not using a private address. And yes, I think it is a potential security hole. Thanks for the help, the fix and create-react-app.

[Timer]

I've opened #2296 after this discussion. Thanks for the report!

[gaearon]

Should be fixed in react-scripts@1.0.3. Please verify!

[talkingtab]

Yes, it only binds to localhost on linux without a private network. Thanks!

[kamranayub]

@gaearon Sorry to chime in on such an old issue but it looks like even binding to 10.x addresses is a security issue because on org Wi-Fi, the dev site will still be accessible to those on the network. I noticed in my dev console failed requests to malicious URLs, it looked like someone was scanning.

I've set our repos to use HOST=localhost now to avoid this.