[Bug]: HTTP API can bind beyond loopback with permissive CORS

[martin-forge]

Summary

The HTTP API is presented as a local API at http://localhost:{PORT}, but the server currently starts with a port-only bind. On macOS with TaskNotes 4.8.1, enabling the API makes it reachable from the machine's LAN address as well as localhost when no auth token is configured.

API responses also use permissive CORS headers.

Reproduction

1. Enable the HTTP API with the auth token left blank.
2. Check the listening socket:

lsof -nP -iTCP:8080 -sTCP:LISTEN

On my machine this reports Obsidian listening on *:8080.

3. Request the API through the machine's LAN address:

curl http://<lan-ip>:8080/api/health

This returns a successful API response.

4. Inspect response headers. API responses include:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization

Expected behavior

Enabling a local task API should not unexpectedly expose a read/write endpoint beyond loopback, especially when auth is optional and may be blank.

Notes

The relevant server startup is in HTTPAPIService.ts:

this.server.listen(this.plugin.settings.apiPort, () => {
  resolve();
});

A narrow fix could bind to 127.0.0.1 by default, with an explicit advanced setting for users who intentionally want LAN access. The permissive CORS defaults may also be worth tightening or documenting.

[callumalpass]

Thank you for reporting this. This should be resolved in release 4.9.0, so I am going to close this issue now.