Skip to content

Commit 19a64cb

Browse files
pimterryaduh95
pimterry
authored and
aduh95
committed
doc: fix --inspect security warning section
PR-URL: #61675 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Tierney Cyren <hello@bnb.im> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
1 parent b607f04 commit 19a64cb

File tree

1 file changed

+26
-20
lines changed

1 file changed

+26
-20
lines changed

doc/api/cli.md

Lines changed: 26 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1599,26 +1599,6 @@ When enabled, the parser will accept the following:
15991599
All the above will expose your application to request smuggling
16001600
or poisoning attack. Avoid using this option.
16011601

1602-
<!-- Anchor to make sure old links find a target -->
1603-
1604-
<a id="inspector_security"></a>
1605-
1606-
#### Warning: binding inspector to a public IP:port combination is insecure
1607-
1608-
Binding the inspector to a public IP (including `0.0.0.0`) with an open port is
1609-
insecure, as it allows external hosts to connect to the inspector and perform
1610-
a [remote code execution][] attack.
1611-
1612-
If specifying a host, make sure that either:
1613-
1614-
* The host is not accessible from public networks.
1615-
* A firewall disallows unwanted connections on the port.
1616-
1617-
**More specifically, `--inspect=0.0.0.0` is insecure if the port (`9229` by
1618-
default) is not firewall-protected.**
1619-
1620-
See the [debugging security implications][] section for more information.
1621-
16221602
### `--inspect-brk[=[host:]port]`
16231603

16241604
<!-- YAML
@@ -1631,6 +1611,9 @@ a random available port will be used.
16311611

16321612
See [V8 Inspector integration for Node.js][] for further explanation on Node.js debugger.
16331613

1614+
See the [security warning][] below regarding the `host`
1615+
parameter usage.
1616+
16341617
### `--inspect-port=[host:]port`
16351618

16361619
<!-- YAML
@@ -1668,6 +1651,9 @@ a random available port will be used.
16681651

16691652
See [V8 Inspector integration for Node.js][] for further explanation on Node.js debugger.
16701653

1654+
See the [security warning][] below regarding the `host`
1655+
parameter usage.
1656+
16711657
### `--inspect[=[host:]port]`
16721658

16731659
<!-- YAML
@@ -1682,6 +1668,26 @@ and profile Node.js instances. The tools attach to Node.js instances via a
16821668
tcp port and communicate using the [Chrome DevTools Protocol][].
16831669
See [V8 Inspector integration for Node.js][] for further explanation on Node.js debugger.
16841670

1671+
<!-- Anchor to make sure old links find a target -->
1672+
1673+
<a id="inspector_security"></a>
1674+
1675+
#### Warning: binding inspector to a public IP:port combination is insecure
1676+
1677+
Binding the inspector to a public IP (including `0.0.0.0`) with an open port is
1678+
insecure, as it allows external hosts to connect to the inspector and perform
1679+
a [remote code execution][] attack.
1680+
1681+
If specifying a host, make sure that either:
1682+
1683+
* The host is not accessible from public networks.
1684+
* A firewall disallows unwanted connections on the port.
1685+
1686+
**More specifically, `--inspect=0.0.0.0` is insecure if the port (`9229` by
1687+
default) is not firewall-protected.**
1688+
1689+
See the [debugging security implications][] section for more information.
1690+
16851691
### `-i`, `--interactive`
16861692

16871693
<!-- YAML

0 commit comments

Comments
 (0)