Skip to content

_⚠️ Potential issue_ | _🟠 Major_ #108

Closed
Closed
_⚠️ Potential issue_ | _🟠 Major_#108
@MasumRab

Description

@MasumRab
MasumRab
opened on Sep 28, 2025

⚠️ Potential issue | 🟠 Major

Don’t bind to 0.0.0.0 with reload enabled by default

Binding to all interfaces (S104) plus unconditional reload=True is risky; gate both by env (dev vs prod) and allow HOST override.

 if __name__ == "__main__":
-    port = int(os.getenv("PORT", 8000))
-    # We use a string to specify the app location to allow for reloading.
-    uvicorn.run("backend.python_backend.main:app", host="0.0.0.0", port=port, reload=True)
+    port = int(os.getenv("PORT", 8000))
+    env = os.getenv("NODE_ENV", "development")
+    host = os.getenv("HOST", "127.0.0.1" if env == "development" else "0.0.0.0")
+    reload = env == "development"
+    # Use string app path to support reload
+    uvicorn.run("backend.python_backend.main:app", host=host, port=port, reload=reload)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

if __name__ == "__main__":
    port = int(os.getenv("PORT", 8000))
    env = os.getenv("NODE_ENV", "development")
    host = os.getenv(
        "HOST",
        "127.0.0.1" if env == "development" else "0.0.0.0"
    )
    reload = env == "development"
    # Use string app path to support reload
    uvicorn.run(
        "backend.python_backend.main:app",
        host=host,
        port=port,
        reload=reload
    )
🧰 Tools
🪛 Ruff (0.13.1)

12-12: Possible binding to all interfaces

(S104)

🤖 Prompt for AI Agents 
In run.py around lines 10-12, currently the server always binds to 0.0.0.0 and
sets reload=True; change this to read HOST and a dev/reload flag from
environment so you don't unconditionally bind to all interfaces or enable
auto-reload in production. Use os.getenv("HOST", "127.0.0.1") to allow override
of the bind address, and gate reload via something like os.getenv("ENV",
"production") == "development" or a dedicated RELOAD env var; pass the evaluated
host and reload values into uvicorn.run instead of hardcoding "0.0.0.0" and
True. Ensure port still falls back to 8000.

Originally posted by @coderabbitai[bot] in #107 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions