Exposing the server on 0.0.0.0 by default is a terrible idea

[owainkenwayucl]

I've been looking at using Cromwell to automate some GATK benchmarks and it appears that by default in server mode it exposes its UI on all interfaces which is pretty bad from a security perspective.

That is backed up by https://github.com/broadinstitute/cromwell/blob/develop/cromwell.example.backends/cromwell.examples.conf and my own testing with a browser.

Luckily I had firewalld running on the machine I was testing it on.

It might be sensible to change the default to listening only on localhost?

[aednichols]

Yes, Cromwell assumes a trusted network that is not exposed to the Internet. If it doesn't say that in the docs now, it probably should – pull requests welcome.

For context, our production use case is running Cromwell on a server that is accessed by client(s), so binding to the external IP is required.

[owainkenwayucl]

Sure - I think the capability to do it is fine - it's that it is the default unprompted behaviour that I think is the issue.