-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Description
I noticed that the out of box behavior for dgraph alpha and zero is to bind to 0.0.0.0. Even for just playing around, this is surprising behavior for a database to have. Every database I have installed recently binds to localhost unless you explicitly tell it otherwise. This provides security by default, which I also expect DGraph would provide.
I am no expert on DGraph's security model, but it seems to be designed to have a layer providing user authorization in front of it at all times. This also supports the reasoning of binding to localhost by default.
I propose that the --bindall option be changed to false by default. Happy to contribute a pull request if folks agree. It seems like ratel doesn't support changing the binding from 0.0.0.0, but I can look into providing that as well, and it definitely should be if this is changed.