I can see your local web servers

(http.jameshfisher.com)

652 points jamesfisher | 1 comments | 28 May 19 07:57 UTC | HN request time: 0s | source

Show context

gnomewascool ◴[28 May 19 09:32 UTC] No.20028516[source]▶

>>20028108 (OP) #

If you use uMatrix, you can easily block the localhost and local network "sniffing" with the following rule[0]:

  * 127       * block    ### block access to IPv4 localhost 127.x.x.x
  * localhost * block
  * [::1]     * block    ### block access to IPv6 localhost
  * 192.168   * block    ### block access to LAN 192.168.x.x

In principle, you can use this without any other blocking, i.e. with the rule:

  * * * allow

and hence without disabling javascript on any sites.

[0] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.3-uM...

Edit: as pointed out by DarkWiiPlayer below, if you want to be able to access the localhost websites from the same browser, you need:

  localhost localhost * allow

and similarly for the LAN. In full:

  127       127       * allow
  localhost localhost * allow
  [::1]     [::1]     * allow
  192.168   192.168   * allow

replies(7): >>20028541 #>>20028585 #>>20028627 #>>20028634 #>>20028673 #>>20030102 #>>20034486 #

bg0 ◴[28 May 19 14:05 UTC] No.20030102[source]▶

>>20028516 #

Anyone know if this can be done on a hosts level instead of a browser level?

replies(1): >>20035357 #

1. comex ◴[28 May 19 23:15 UTC] No.20035357[source]▶

>>20030102 #

It can’t. At best you can try to modify the hosts file to point localhost to somewhere bogus, but aside from the potential breakage that could cause, it won’t help against any site that simply accesses http://127.0.0.1 instead of http://localhost. In general, the hosts file can be useful for quick-and-dirty blocking, but it’s not really capable of enforcing a security barrier.

Edit: But there may be other ways to do it at an OS level, depending on your OS.

↑