From 2f05228d9108296946fba57ae5c74cc38617a7b7 Mon Sep 17 00:00:00 2001
From: Chris van Marle <qistoph@gmail.com>
Date: Fri, 25 Aug 2017 18:40:55 +0200
Subject: [PATCH] More secure defaults.

Without config, listen only on looback interface. In sample config
listen on any interface, but use an IP whitelist.

Related to #950
---
 config/config.js.sample | 5 ++++-
 js/defaults.js          | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/config/config.js.sample b/config/config.js.sample
index 8294e319..8619a1a9 100644
--- a/config/config.js.sample
+++ b/config/config.js.sample
@@ -9,7 +9,10 @@
  */
 
 var config = {
-	address: "localhost",
+	address: "", // Address to listen on, can be
+	             // "localhost", "127.0.0.1", "::1" to listen on loopback interface
+	             // another specific IPv4/6 to listen on a specific interface
+	             // "", "0.0.0.0", "::" to listen on any interface
 	port: 8080,
 	ipWhitelist: ["127.0.0.1", "::ffff:127.0.0.1", "::1"], // Set [] to allow all IP addresses
 	                                                       // or add a specific IPv4 of 192.168.1.5 :
diff --git a/js/defaults.js b/js/defaults.js
index 06ff7b62..08c4d945 100644
--- a/js/defaults.js
+++ b/js/defaults.js
@@ -8,7 +8,7 @@
  */
 
 var port = 8080;
-var address = ""; // Default to listening on all interfaces
+var address = "localhost";
 if (typeof(mmPort) !== "undefined") {
 	port = mmPort;
 }