Skip to content

[Documentation]: Missing note about allowedHosts config in docs for --host flag #35240

Description

@ghengeveld

Describe the problem

Docs for --host flag for dev CLI do not explicitly mention the security risk involved with setting this value to 0.0.0.0. The CLI does print a runtime warning when this happens:

// '0.0.0.0' binds to all interfaces, which is useful for Docker and other containerized environments.
// By default we allow requests from all hosts in this case, but the user should be made aware of the risk.
if (
options.host === '0.0.0.0' &&
(!allowedHosts || (allowedHosts !== true && allowedHosts.length === 0))
) {
logger.warn(dedent`
--host is set to 0.0.0.0 but no allowedHosts are defined. Allowing all hosts.
To restrict allowed hosts, set core.allowedHosts in your main Storybook config.
See: https://storybook.js.org/docs/api/main-config/main-config-core
`);
}

Users who pass --host=0.0.0.0 should set allowedHosts in their main config: https://storybook.js.org/docs/api/main-config/main-config-core#allowedhosts

Additional context

No response

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions