Skip to content

unrestricted-server-socket-binding

Ensure binding to limited interfaces

Listening on 0.0.0.0 or on an empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Open ports can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules. Typically it is recommended to bind to loopback and use IP forwarding, NAT or expose specific ports outside of a Docker container.

Examples

Insecure Example

package main

import (
    "log"
    "net"
)

func bind_default() {
    // Binds port 2000 on all interfaces
    l, err := net.Listen("tcp", ":2000")
    if err != nil {
        log.Fatal(err)
    }
    defer l.Close()
}

Secure Example

package main

import (
    "log"
    "net"
)

func bind_safe() {
    // Bind only on loopback
    l, err := net.Listen("tcp", "127.0.0.1:2000")
    if err != nil {
        log.Fatal(err)
    }
    defer l.Close()
}