Summary
The dev server always binds to all network interfaces because _serverListen only passes port to Node's server.listen(), with no host parameter. There is no configuration option to change this. Users on networks that assign publicly routable IPs (university networks like eduroam, IPv6 networks, misconfigured routers, conference/hotel WiFi) are exposed to the internet with no warning.
The problem
In server.js, the listen call looks like this:
_serverListen(port) {
this.server.listen({
port,
});
}When no host is passed to Node's server.listen(), it defaults to 0.0.0.0 — meaning every network interface on the machine. There is no host option in setServerOptions and no --host CLI flag to override this.
The showAllHosts option does not restrict binding — it only controls whether additional IPs are displayed in the console output.
Why this matters
Most developers assume their dev server is only accessible locally. On many home networks, NAT accidentally provides that isolation. But this is not a safe default as there are many networks (such as lots of university networks) that have very little if any inbound filtering.
Suggested fix
Pass a host option through to server.listen(), defaulting to 127.0.0.1:
_serverListen(port) {
this.server.listen({
port,
host: this.options.host || "127.0.0.1",
});
}This would:
- Make the dev server secure by default (loopback only).
- Allow users who need LAN access to opt in with
host: "0.0.0.0" in setServerOptions.
- Align with the behavior of essentially every other modern dev server.
Users who need to access their dev server from other devices (e.g., phone testing) can explicitly set host: "0.0.0.0" or use a tool like tailscale serve to proxy safely.
Summary
The dev server always binds to all network interfaces because
_serverListenonly passesportto Node'sserver.listen(), with nohostparameter. There is no configuration option to change this. Users on networks that assign publicly routable IPs (university networks like eduroam, IPv6 networks, misconfigured routers, conference/hotel WiFi) are exposed to the internet with no warning.The problem
In server.js, the listen call looks like this:
When no
hostis passed to Node's server.listen(), it defaults to0.0.0.0— meaning every network interface on the machine. There is nohostoption insetServerOptionsand no--hostCLI flag to override this.The
showAllHostsoption does not restrict binding — it only controls whether additional IPs are displayed in the console output.Why this matters
Most developers assume their dev server is only accessible locally. On many home networks, NAT accidentally provides that isolation. But this is not a safe default as there are many networks (such as lots of university networks) that have very little if any inbound filtering.
Suggested fix
Pass a
hostoption through toserver.listen(), defaulting to127.0.0.1:This would:
host: "0.0.0.0"insetServerOptions.Users who need to access their dev server from other devices (e.g., phone testing) can explicitly set
host: "0.0.0.0"or use a tool liketailscale serveto proxy safely.