[PR #266] [MERGED] Fix ASP.NET backend listening on 0.0.0.0 #1126

New Issue

claunia · 2026-01-29T16:57:36Z

claunia commented

2026-01-29 16:57:36 +00:00

📋 Pull Request Information

Original PR: https://github.com/ElectronNET/Electron.NET/pull/266
Author: @gfs
Created: 5/31/2019
Status: ✅ Merged
Merged: 7/1/2019
Merged by: @robertmuehsig

Base: master ← Head: gfs/listen-on-127.0.0.1

📝 Commits (5)

98a5495 Prevents binding to 0.0.0.0 on Windows
6d31c41 Change NodeIntegration Default to False
d3d7361 Version in build script now a variable
07a0bc9 Revert NodeIntegration Change
802b1ac Update README.md

📊 Changes

4 files changed (+20 additions, -6 deletions)

View changed files

📝 ElectronNET.API/Entities/WebPreferences.cs (+1 -1)
📝 ElectronNET.API/WebHostBuilderExtensions.cs (+1 -1)
📝 README.md (+13 -0)
📝 buildReleaseNuGetPackages.cmd (+5 -4)

📄 Description

Why this change?
Default behavior for windows appears to be to resolve localhost to 0.0.0.0 which causes the Windows firewall to get triggered, but also exposes the ASP.NET backend to remote access which opens up the app to RCE risks unnecessarily.

Also

Add a comment for why NodeIntegration is true.
The version used in the build script is now a variable, only needs to be changed once.

I've validated that with this changed behavior, our App, Attack Surface Analyzer, encounters no issues. I'm unable to test it on the WebApp as the version on master currently does not work for me (even without my changes).

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/ElectronNET/Electron.NET/pull/266 **Author:** [@gfs](https://github.com/gfs) **Created:** 5/31/2019 **Status:** ✅ Merged **Merged:** 7/1/2019 **Merged by:** [@robertmuehsig](https://github.com/robertmuehsig) **Base:** `master` ← **Head:** `gfs/listen-on-127.0.0.1` --- ### 📝 Commits (5) - [`98a5495`](https://github.com/ElectronNET/Electron.NET/commit/98a549560fa84435de42847865f82d31869458a5) Prevents binding to 0.0.0.0 on Windows - [`6d31c41`](https://github.com/ElectronNET/Electron.NET/commit/6d31c41479a5cd913d698464168481a1a3b116d0) Change NodeIntegration Default to False - [`d3d7361`](https://github.com/ElectronNET/Electron.NET/commit/d3d73611b780512dcea942815a66fa34c55d3e04) Version in build script now a variable - [`07a0bc9`](https://github.com/ElectronNET/Electron.NET/commit/07a0bc9c7db3961e99a3f05c5a8933fbb226cf7b) Revert NodeIntegration Change - [`802b1ac`](https://github.com/ElectronNET/Electron.NET/commit/802b1acf689b4dc63c20eef783343d2197c42b99) Update README.md ### 📊 Changes **4 files changed** (+20 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `ElectronNET.API/Entities/WebPreferences.cs` (+1 -1) 📝 `ElectronNET.API/WebHostBuilderExtensions.cs` (+1 -1) 📝 `README.md` (+13 -0) 📝 `buildReleaseNuGetPackages.cmd` (+5 -4) </details> ### 📄 Description _Why this change?_ Default behavior for windows appears to be to resolve ```localhost``` to ```0.0.0.0``` which causes the Windows firewall to get triggered, but also exposes the ASP.NET backend to remote access which opens up the app to RCE risks unnecessarily. _Also_ 1. Add a comment for why NodeIntegration is true. 2. The version used in the build script is now a variable, only needs to be changed once. I've validated that with this changed behavior, our App, [Attack Surface Analyzer](github.com/Microsoft/AttackSurfaceAnalyzer), encounters no issues. I'm unable to test it on the WebApp as the version on master currently does not work for me (even without my changes). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

claunia added the pull-request label 2026-01-29 16:57:36 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/Electron.NET#1126