[nurettin]

Works on localhost. It is not a big deal.

[mrd3v0]

This is how trivial bugs turn into full-fledged threats. Increasing attack surfaces without any justification is bad cyber security.

[rekoil]

If you're hosting your applications on localhost it can be a security risk.

A blind SSRF vulnerability (with payload control) in your application could be used to gain full control over the reverse proxy resulting in the attacker gaining full unfettered access to your network.

If you're not using it (and you shouldn't be using such functionality on a production machine), then you don't need it and should disable it, see: https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

[Gud]

It is absolutely a big deal. Any server software should be secure by default, period.

[rocqua]

If your server reaches out to user-provided URLs, it can be a big deal. Especially with DNS rebinding, remote users can bind domains to 127.0.0.1. Which avoids cors like protections.

[mholt]

We mitigate both DNS rebinding and cross-origin in the admin endpoint by verifying Host and Origin headers -- by default.