Airflow: default binding to world

Suggest Edits

Airflow comes with a default configuration of binding to world (0.0.0.0). Binding to world (0.0.0.0) can be dangerous in cases where the hosting machine is exposed, and in general it indicates a non-minimal security posture which can cause other unexpected exposures.

Problem

In airflow.cfg:

web_server_host = 0.0.0.0

Fix

In airflow.cfg, if under load balancer:

web_server_host = 127.0.0.1

Or, in airflow.cfg, if having specific interface address ADDR:

web_server_host = <ADDR>

See

Airflow docs
Stack Overflow: Superuser
A discussion for similar issue on a different project

Updated 7 months ago