You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: fix host gateway port restriction documentation (#568)
Corrects inaccurate documentation that claimed v0.13.13 includes
port restrictions for --enable-host-access. The security fix
(commit 12683ac) is not yet merged to main, so all ports are
currently accessible when host access is enabled.
Changes:
- Update security warning to emphasize ANY port is accessible
- Document --allow-host-ports as the way to restrict access
- Add note about future default port restrictions
- Remove premature version-specific claims
This aligns documentation with actual code behavior in v0.13.13.
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Copy file name to clipboardExpand all lines: docs/usage.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -322,11 +322,9 @@ sudo awf \
322
322
323
323
### Security Considerations
324
324
325
-
> ⚠️ **Security Warning**: When `--enable-host-access` is enabled, containers can access services running on the host machine via `host.docker.internal`.
325
+
> ⚠️ **Security Warning**: When `--enable-host-access` is enabled, containers can currently access ANY port on services running on the host machine via `host.docker.internal`. This includes databases, admin panels, and other sensitive services.
326
326
>
327
-
> **Port restrictions:** As of v0.13.13+, access is restricted to ports 80, 443, and any ports specified with `--allow-host-ports`. This prevents access to arbitrary services like databases, admin panels, etc.
328
-
>
329
-
> **Before v0.13.13:** All ports were accessible when host access was enabled, creating a security risk.
327
+
> **Port restrictions:** Use `--allow-host-ports` to explicitly restrict which ports can be accessed (e.g., `--allow-host-ports 80,443,8080`). A future update will make port restrictions the default behavior.
330
328
>
331
329
> Only enable this for trusted workloads like MCP gateways or local testing with Playwright.
**Note:** Ports 80 and 443 are always allowed when `--enable-host-access` is enabled. Use `--allow-host-ports` to allow additional ports (e.g., for MCP gateways or development servers running on non-standard ports).
347
+
**Note:** When `--enable-host-access` is enabled without `--allow-host-ports`, all ports on `host.docker.internal` are currently allowed. Use `--allow-host-ports` to explicitly restrict which ports can be accessed (e.g., `--allow-host-ports 80,443,8080` for web services and an MCP gateway).
348
+
349
+
> **Security Note:** A future update will change the default behavior to only allow ports 80 and 443 unless `--allow-host-ports` is specified. Explicitly set `--allow-host-ports` now to ensure consistent behavior across versions.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments