From 4de24902af9277f882b621f53e7814b8d956bbad Mon Sep 17 00:00:00 2001
From: jmt <jan.tiedemann@chain4travel.com>
Date: Wed, 14 Jun 2023 15:09:30 +0200
Subject: [PATCH] add check for insecure localhost (#62)

---
 node/node.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/node/node.go b/node/node.go
index c3317f7a9..45c2ab417 100644
--- a/node/node.go
+++ b/node/node.go
@@ -941,6 +941,11 @@ func (n *Node) initAdminAPI() error {
 		n.Log.Info("skipping admin API initialization because it has been disabled")
 		return nil
 	}
+
+	if (n.Config.HTTPHost == "localhost" || n.Config.HTTPHost == "127.0.0.1") && !n.Config.APIConfig.AllowInsecureLocalhost {
+		return errors.New("localhost/127.0.0.1 are considered to be insecure hosts - please explicitly allow this by also setting --http-insecure-localhost")
+	}
+
 	n.Log.Info("initializing admin API")
 	service, err := admin.NewService(
 		admin.Config{