fix(security): bind 127.0.0.1 par défaut via RPA_BIND_HOST (plus de host=0.0.0.0 en dur)
Some checks failed
tests / Lint (ruff + black) (push) Failing after 1m44s
tests / Tests unitaires (sans GPU) (push) Failing after 1m48s
tests / Tests sécurité (critique) (push) Has been skipped

Les 4 entrypoints HTTP (api_stream 5005, api_upload 8000, VWB backend 5002,
dashboard 5001) bindaient host=0.0.0.0 en dur -> exposés sur tout le réseau.
Désormais host=os.environ.get('RPA_BIND_HOST','127.0.0.1') : local-only par
défaut, configurable. Découvert à la mise en service DGX local-only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dom
2026-06-08 17:49:58 +02:00
parent 0ee54157e5
commit 09f65cecbe
4 changed files with 8 additions and 4 deletions

View File

@@ -2866,9 +2866,10 @@ if __name__ == '__main__':
print("=" * 50)
try:
import os as _os
socketio.run(
app,
host='0.0.0.0',
host=_os.environ.get('RPA_BIND_HOST', '127.0.0.1'),
port=5001,
debug=False,
allow_unsafe_werkzeug=True