From edfc6dc50104ced3efe5d910a6aa371dae6f28b7 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 11:07:47 +0000 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=92=20secure=20backend=20by=20bind?= =?UTF-8?q?ing=20uvicorn=20to=20localhost?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🎯 What: Changed the uvicorn host binding from 0.0.0.0 to 127.0.0.1 in server/start.sh. ⚠️ Risk: Binding to 0.0.0.0 exposes the unauthenticated backend API to any network interface, potentially allowing unauthorized access. 🛡️ Solution: Binding to 127.0.0.1 ensures the FastAPI backend is only accessible from the local machine, relying on the Next.js frontend to securely proxy external requests. Co-authored-by: LyAhn <27559362+LyAhn@users.noreply.github.com> --- server/start.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/start.sh b/server/start.sh index 1c05a6c..befa203 100755 --- a/server/start.sh +++ b/server/start.sh @@ -72,7 +72,7 @@ fi # Pass DEVICE env var so the server can select the correct torch device. # --------------------------------------------------------------------------- echo "" -echo "--> Starting uvicorn on http://0.0.0.0:8000" +echo "--> Starting uvicorn on http://127.0.0.1:8000" export PYTHONUTF8=1 if $CPU_MODE; then @@ -83,7 +83,7 @@ else fi exec uv run uvicorn vibevoice_server:app \ - --host 0.0.0.0 \ + --host 127.0.0.1 \ --port 8000 \ --log-level info \ "${PASSTHROUGH_ARGS[@]+"${PASSTHROUGH_ARGS[@]}"}" From 706b318abb6ab13da4f8a1cc51133a13a8255e4d Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 12:42:40 +0000 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=92=20secure=20backend=20by=20bind?= =?UTF-8?q?ing=20uvicorn=20to=20localhost?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🎯 What: Changed the uvicorn host binding from 0.0.0.0 to 127.0.0.1 in server/start.sh. ⚠️ Risk: Binding to 0.0.0.0 exposes the unauthenticated backend API to any network interface, potentially allowing unauthorized access. 🛡️ Solution: Binding to 127.0.0.1 ensures the FastAPI backend is only accessible from the local machine, relying on the Next.js frontend to securely proxy external requests. Co-authored-by: LyAhn <27559362+LyAhn@users.noreply.github.com>