From 706b318abb6ab13da4f8a1cc51133a13a8255e4d Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 29 Apr 2026 12:42:40 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20secure=20backend=20by=20binding?=
 =?UTF-8?q?=20uvicorn=20to=20localhost?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🎯 What: Changed the uvicorn host binding from 0.0.0.0 to 127.0.0.1 in server/start.sh.
⚠️ Risk: Binding to 0.0.0.0 exposes the unauthenticated backend API to any network interface, potentially allowing unauthorized access.
🛡️ Solution: Binding to 127.0.0.1 ensures the FastAPI backend is only accessible from the local machine, relying on the Next.js frontend to securely proxy external requests.

Co-authored-by: LyAhn <27559362+LyAhn@users.noreply.github.com>