[pilif]

> It is not recommended to expose unsecure Unit API

why do people always use "not recommended" when they actually mean "do not ever do this or you'll end up the laughing stock in the tech press"

Exposing this otherwise awesome API to the public will amount to a free RCE for everybody. So not ever expose this to the public, not even behind some authentication.

It's very cool that by design it's only listening on a domain socket. Don't add a proxy in front of this.

[uvtc]

> why do people always use "not recommended" when they actually mean "do not ever do this or you'll end up the laughing stock in the tech press"

For the same reason they say, "non-trivial" when they really mean "nearly impossibly difficult". :)

[vertex-four]

Technically, NOT RECOMMENDED is the same as SHOULD NOT in RFC2119 - i.e. "the full implications should be understood and the case carefully weighed before implementing any behavior described with this label". Not that this document uses those definitions, but.

[korzun]

Technically, you can expose the Unit API within an internal network.

[zeckalpha]

Why that still might not be a good idea: https://research.google.com/pubs/pub43231.html

[korzun]

Thanks for linking that. Typically, if you know what you are doing, a setup of this nature would be segmented out from the rest of internal network.

I did compliance work for a lot of start-ups and never came across a company that understood this concept. The majority thinks that their wireless router is already doing this via the Guest account.