mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(SEC-ORCH-20): Bind orchestrator to 127.0.0.1 by default
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
Change default bind address from 0.0.0.0 to 127.0.0.1 to prevent
the orchestrator API from being exposed on all network interfaces.
The bind address is now configurable via HOST or BIND_ADDRESS env
vars for Docker/production deployments that need 0.0.0.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-06 13:42:51 -06:00
parent c38271da3b
commit 25d2958fe4
3 changed files with 42 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/orchestrator/src/main.ts
View File

@@ -10,10 +10,11 @@ async function bootstrap() {
});
const port = process.env.ORCHESTRATOR_PORT ?? 3001;
const host = process.env.HOST ?? process.env.BIND_ADDRESS ?? "127.0.0.1";
await app.listen(Number(port), "0.0.0.0");
await app.listen(Number(port), host);
logger.log(`🚀 Orchestrator running on http://0.0.0.0:${String(port)}`);
logger.log(`🚀 Orchestrator running on http://${host}:${String(port)}`);
}
void bootstrap();