Security concern: listening on all accessible IP ports by default is a risk

[petebacondarwin]

When using wrangler dev (and wrangler dev --local) without specifying an IP address, Wrangler will listen on every IP address that is accessible from the current machine. While this is very useful, especially if you want to test on a mobile device, it is not an ideal default. A user could unknowingly expose the Worker outside of their machine to any other machine on the network.

In remote dev mode, we do, at least, print the IP addresses on which Wrangler is listening. But I don't believe that we display this stuff when using local dev mode.

[mrbbot]

Hey! 👋 Listening on just localhost used to be wrangler's behaviour: #1605. I'm not sure what this behaviour should be (afaik most dev servers in the JS ecosystem listen on 0.0.0.0), but in any case, we should be logging all IP addresses in local mode. 👍

[penalosa]

After internal discussion, we've decided to leave the defaults as-is, since we're clearly logging the IPs on which Wrangler is accessible.

However, we're going to change the default IP to localhost in unstable_dev, and so I'll leave this open to track that work