Describe the problem
Docs for --host flag for dev CLI do not explicitly mention the security risk involved with setting this value to 0.0.0.0. The CLI does print a runtime warning when this happens:
|
// '0.0.0.0' binds to all interfaces, which is useful for Docker and other containerized environments. |
|
// By default we allow requests from all hosts in this case, but the user should be made aware of the risk. |
|
if ( |
|
options.host === '0.0.0.0' && |
|
(!allowedHosts || (allowedHosts !== true && allowedHosts.length === 0)) |
|
) { |
|
logger.warn(dedent` |
|
--host is set to 0.0.0.0 but no allowedHosts are defined. Allowing all hosts. |
|
To restrict allowed hosts, set core.allowedHosts in your main Storybook config. |
|
See: https://storybook.js.org/docs/api/main-config/main-config-core |
|
`); |
|
} |
Users who pass --host=0.0.0.0 should set allowedHosts in their main config: https://storybook.js.org/docs/api/main-config/main-config-core#allowedhosts
Additional context
No response
Describe the problem
Docs for
--hostflag fordevCLI do not explicitly mention the security risk involved with setting this value to0.0.0.0. The CLI does print a runtime warning when this happens:storybook/code/core/src/core-server/build-dev.ts
Lines 220 to 231 in 7e7251e
Users who pass
--host=0.0.0.0should setallowedHostsin their main config: https://storybook.js.org/docs/api/main-config/main-config-core#allowedhostsAdditional context
No response