Hi there, The default behaviour of http connector is listenning all interfaces. It is found in the description of "address" in attributes section. (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support) In terms of security default, it could be not best practice. In case of unexpected mistakes made by people, default behaviour of exposing the server to every possible network may pose a potential threat on security. (CWE-1327: Binding to an Unrestricted IP Address: https://cwe.mitre.org/data/definitions/1327.html) The issue should be a security enhancement. I recommend changing default behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and adding configuration option with default value OFF for 0.0.0.0 or : :. If there have been any previous discusstion about this, could you please tell me more? Hope that I make it clear.
Bugzilla is not a discussion forum. Please take your question to the users mailing list.