From 9871a6d155373efdae981c646be81f6f09fef2fc Mon Sep 17 00:00:00 2001
From: John Knox <jknox@fb.com>
Date: Mon, 23 Sep 2019 03:41:47 -0700
Subject: [PATCH] Devserver: Only listen on localhost

Summary:
In response to https://github.com/facebook/flipper/issues/553

This server is just serving the local assets to the electron instance, when you are running flipper from source (`yarn start`). It's not used in production releases.

I don't think there's a need to encrypt this traffic - it's analogous to running a local web server while you are developing it, however I don't see a reason not to restrict it to localhost.

Reviewed By: danielbuechele

Differential Revision: D17500039

fbshipit-source-id: 5b9df3937d71dc542cfa900da8c9e7f285a0e6ac
---
 scripts/start-dev-server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/start-dev-server.js b/scripts/start-dev-server.js
index d9c45bfc6..d16638922 100644
--- a/scripts/start-dev-server.js
+++ b/scripts/start-dev-server.js
@@ -107,7 +107,7 @@ function startAssetServer(port) {
   const server = http.createServer(app);
 
   return new Promise((resolve, reject) => {
-    server.listen(port, () => resolve({app, server}));
+    server.listen(port, 'localhost', () => resolve({app, server}));
   });
 }