It doesn't have to be web facing to be a security concern. If you ever bring your computer or phone to starbucks it is exposed on a public network and if you have anything set up to be served on 0.0.0.0 it is accessible to anyone there, and if it is also able to serve anything from your computer your entire hard drive is exposed to everyone.
There are plenty of secure ways to use node as an externally facing server, I have one set up for tiddlywiki. But security is a difficult problem and it isn't obvious where there are security concerns, even to experienced security people. It is generally a good idea to go with a more conservative approach to security. As a developer I do have responsibility for the things that I create so I am never going to make something that serves on 0.0.0.0 by default, nor anything that serves any file from the hard drive by default because it is unreasonable to expect everyone who uses what I make to understand the security and privacy implications of that. If someone using what I make wants to change the settings to allow those things than they can, but then it is their decision to do something potentially dangerous and expose themselves in that way. Anything that we make as the basic version of tiddlywiki should be as safe as possible. That means no serving arbitrary files by default. If people want to change the settings they are free to do that, but here there be dragons. -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/430b9f66-6ee9-4b6d-93a4-77b95fb48653%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
