Hi there, Product:<https://bz.apache.org/bugzilla/describecomponents.cgi>
Ant Apache httpd-2 Apache httpd-test APR POI Rivet Taglibs Tomcat 10 Tomcat 8 Tomcat 9 Tomcat Connectors Tomcat Modules Tomcat Native WebSH Component:<https://bz.apache.org/bugzilla/describecomponents.cgi?product=Tomcat%209> Catalina Cluster Connectors Documentation EL Examples Jasper JASPIC Manager Packaging Servlet Util WebSocket (show other bugs<https://bz.apache.org/bugzilla/buglist.cgi?component=Connectors&product=Tomcat%209&bug_status=__open__>) Version:<https://bz.apache.org/bugzilla/page.cgi?id=fields.html#version> 9.0.0.M1 9.0.0.M3 9.0.0.M4 9.0.0.M6 9.0.0.M8 9.0.0.M9 9.0.0.M10 9.0.0.M11 9.0.0.M13 9.0.0.M15 9.0.0.M17 9.0.0.M18 9.0.0.M19 9.0.0.M20 9.0.0.M21 9.0.0.M22 9.0.0.M25 9.0.0.M26 9.0.1 9.0.2 9.0.4 9.0.5 9.0.6 9.0.7 9.0.8 9.0.10 9.0.11 9.0.12 9.0.13 9.0.14 9.0.16 9.0.17 9.0.19 9.0.20 9.0.21 9.0.22 9.0.24 9.0.26 9.0.27 9.0.29 9.0.30 9.0.31 9.0.33 9.0.34 9.0.35 9.0.36 9.0.37 9.0.38 9.0.39 9.0.40 9.0.41 9.0.43 9.0.44 9.0.45 9.0.46 9.0.48 9.0.50 9.0.52 9.0.53 9.0.54 9.0.55 9.0.56 9.0.58 9.0.59 9.0.60 9.0.62 9.0.63 9.0.64 9.0.65 9.0.67 9.0.68 9.0.69 9.0.x unspecified Hardware:<https://bz.apache.org/bugzilla/page.cgi?id=fields.html#rep_platform> All DEC HP Macintosh PC SGI Sun Other All Windows XP Windows Server 2003 Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8 Windows Server 2012 Windows Server 2012 R2 Windows 10 Windows Server 2016 Mac OS X 10.6 Mac OS X 10.7 Mac OS X 10.8 Mac OS X 10.9 Mac OS X 10.10 Mac OS X 10.11 Mac OS X 10.12 Mac OS X 10.13 Linux BSD/OS FreeBSD NetBSD OpenBSD AIX BeOS HP-UX IRIX Neutrino OpenVMS Solaris SunOS NetWare other The default behaviour of http connector is listenning all interfaces. It is found in the description of "address" in attributes section. (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support) In terms of security default, it could be not best practice. In case of unexpected mistakes made by people, default behaviour of exposing the server to every possible network may pose a potential threat on security. CWE-1327: Binding to an Unrestricted IP Address: https://cwe.mitre.org/data/definitions/1327.html The issue should be a security enhancement. I recommend changing default behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and adding configuration option with default value OFF for 0.0.0.0 or : :. Hope that I make it clear.