Hello developers ask us to allow serviceID of type https://localhost/* or https://127.0.0.1/* in order to allow them to develop on their local machine ans test locally . As system and network administrators we are afraid that this opening of localhost serviceID might allow the entire world ( all Internet connected device and hence hackers !) to access our CAS server, allowing them for example to brute force the web login interface or whatever other mischief possible . Is this a real security breach to allow serviceID like https://localhost/* , or we are anyway already exposed by our production services which allows https://*.our-domain.fr/* serviceID which could be also used by hackers if the spoof our urls ?
thanks for your security advice regarding this question . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f278051d-a428-4232-8ccc-ac0bf042ff81n%40apereo.org.
