Harden HTTP defaults and improve stop-server fallback

[dsarno]

Summary

• enforce safer defaults for HTTP endpoints (LAN bind and insecure remote HTTP now explicit opt-ins)
• centralize URL policy checks and apply them in launch/start flows
• improve local server stop behavior when pidfile PID is stale by falling back to guarded heuristics
• add/update characterization tests for policy gating and URL normalization
• add a README Security section documenting these defaults

Issue Coverage

• Addresses most hardening requests from Security risks detected by Codex #750

Validation

• Unity EditMode: 646 total, 0 failed
• Python pytest: 666 passed

Summary by Sourcery

Harden HTTP endpoint security defaults and enforce URL policy checks for local and remote connections, while improving local server stop behavior when pidfiles are stale.

New Features:

• Introduce advanced settings toggles to opt in to LAN HTTP binding and insecure remote HTTP for non-default use cases.

Enhancements:

• Default remote HTTP URLs to HTTPS during normalization and centralize URL validation/policy helpers for loopback, bind-all, and remote schemes.
• Apply security policy checks across connection UI, HTTP server launch, WebSocket transport startup, and server command building, with clearer tooltips and dialog messaging.
• Recognize IPv6 loopback addresses as local for HTTP and broaden internal local URL detection to include bind-all IPv6 addresses.
• Update editor preferences and wiring so advanced security toggles immediately refresh connection and HTTP server command UI state.
• Allow HTTP local server stop to fall back to guarded port-based heuristics when pidfile PIDs are stale instead of failing closed.

Documentation:

• Add a README Security section documenting secure-by-default HTTP Local and HTTP Remote behavior and opt-in flags for LAN bind and insecure HTTP.

Tests:

• Extend characterization tests to cover security policy gating, scheme defaults, loopback detection (including IPv6), LAN bind opt-in, and remote HTTP opt-in behavior.

Summary by CodeRabbit

• New Features

  • Two new security options: "Allow LAN Bind (HTTP Local)" and "Allow Insecure Remote HTTP" to opt into less-restrictive HTTP behavior.

• UI Changes

  • Advanced settings toggles added and wired into session/start controls; Start/Connect buttons and tooltips now reflect policy state and provide contextual messages.

• Bug Fixes

  • Startup/connect blocked with clear errors when configured URLs violate local/remote security policies.

• Tests

  • Expanded tests covering local/remote URL policies, IPv4/IPv6 local detection, and opt-in scenarios.

• Documentation

  • README Security section added describing default secure behavior and opt-in requirements.

[sourcery-ai]

Reviewer's Guide

Centralizes HTTP URL security policy, introduces explicit editor preferences and UI gating for risky HTTP configurations (LAN bind and insecure remote HTTP), hardens local/remote launch logic, improves stale pidfile handling when stopping the local HTTP server, and updates characterization tests and README security documentation.

Sequence diagram for HTTP Local server start with security policy gating

sequenceDiagram
    actor UnityUser
    participant McpConnectionSection
    participant HttpEndpointUtility
    participant ServerManagementService as MCPServiceLocator_Server

    UnityUser->>McpConnectionSection: Click HTTP server toggle (start)
    McpConnectionSection->>HttpEndpointUtility: GetLocalBaseUrl()
    McpConnectionSection->>HttpEndpointUtility: IsHttpLocalUrlAllowedForLaunch(localBaseUrl, out error)
    alt URL blocked by policy
        HttpEndpointUtility-->>McpConnectionSection: false, error
        McpConnectionSection->>UnityUser: Show dialog "Cannot Start HTTP Server"
        McpConnectionSection->>McpConnectionSection: Log warning and return
    else URL allowed
        HttpEndpointUtility-->>McpConnectionSection: true
        McpConnectionSection->>MCPServiceLocator_Server: StartLocalHttpServer()
        alt server started
            MCPServiceLocator_Server-->>McpConnectionSection: true
            McpConnectionSection->>McpConnectionSection: Auto-start session
        else server failed
            MCPServiceLocator_Server-->>McpConnectionSection: false
            McpConnectionSection->>UnityUser: Show error status
        end
    end

Loading

Sequence diagram for HTTP Remote connection start with URL policy gating

sequenceDiagram
    actor UnityUser
    participant McpConnectionSection
    participant HttpEndpointUtility
    participant WebSocketTransportClient

    UnityUser->>McpConnectionSection: Click Start Session
    McpConnectionSection->>McpConnectionSection: Determine selected transport
    alt HTTP Remote selected
        McpConnectionSection->>HttpEndpointUtility: IsCurrentRemoteUrlAllowed(out error)
        alt remote URL blocked
            HttpEndpointUtility-->>McpConnectionSection: false, error
            McpConnectionSection->>UnityUser: Show dialog "Connection Blocked"
            McpConnectionSection->>McpConnectionSection: Log warning and return
        else remote URL allowed
            HttpEndpointUtility-->>McpConnectionSection: true
            McpConnectionSection->>WebSocketTransportClient: StartAsync()
        end
    else other transport
        McpConnectionSection->>WebSocketTransportClient: StartAsync()
    end

    alt remote scope inside StartAsync
        WebSocketTransportClient->>HttpEndpointUtility: IsRemoteScope()
        WebSocketTransportClient->>HttpEndpointUtility: IsCurrentRemoteUrlAllowed(out error)
        alt blocked by policy
            HttpEndpointUtility-->>WebSocketTransportClient: false, error
            WebSocketTransportClient->>WebSocketTransportClient: Set state Disconnected
            WebSocketTransportClient->>McpConnectionSection: return false
        else allowed
            HttpEndpointUtility-->>WebSocketTransportClient: true
            WebSocketTransportClient->>WebSocketTransportClient: Open WebSocket
            WebSocketTransportClient-->>McpConnectionSection: return true
        end
    end

Loading

Updated class diagram for HTTP endpoint security utilities and preferences

classDiagram
    class HttpEndpointUtility {
        +string GetLocalBaseUrl()
        +void SaveLocalBaseUrl(string userValue)
        +string GetRemoteBaseUrl()
        +void SaveRemoteBaseUrl(string userValue)
        +ConfiguredTransport GetCurrentServerTransport()
        +bool AllowLanHttpBind()
        +bool AllowInsecureRemoteHttp()
        +bool IsLoopbackHost(string host)
        +bool IsBindAllInterfacesHost(string host)
        +bool IsHttpLocalUrlAllowedForLaunch(string url, string error)
        +bool IsRemoteUrlAllowed(string remoteBaseUrl, string error)
        +bool IsCurrentRemoteUrlAllowed(string error)
        +string GetHttpLocalHostRequirementText()
        -string NormalizeBaseUrl(string value, string defaultUrl, bool remoteScope)
    }

    class EditorPrefKeys {
        <<static>>
        +string ProjectScopedToolsLocalHttp
        +string AllowLanHttpBind
        +string AllowInsecureRemoteHttp
    }

    HttpEndpointUtility --> EditorPrefKeys : uses

Loading

Updated class diagram for connection and advanced editor sections

classDiagram
    class MCPForUnityEditorWindow {
        +void CreateGUI()
    }

    class McpAdvancedSection {
        -Toggle allowLanHttpBindToggle
        -Toggle allowInsecureRemoteHttpToggle
        +event Action OnGitUrlChanged
        +event Action OnHttpServerCommandUpdateRequested
        +event Action OnTestConnectionRequested
        +void CacheUIElements()
        +void InitializeUI()
        +void RegisterCallbacks()
        +void UpdatePathOverrides()
        +void UpdateHealthStatus(bool isHealthy, string statusText)
    }

    class McpConnectionSection {
        +void UpdateConnectionStatus()
        +void UpdateHttpServerCommandDisplay()
        +void UpdateStartHttpButtonState()
        +void SetHealthStatusUpdateCallback(Action callback)
        +bool IsHttpLocalSelected()
        -async void OnHttpServerToggleClicked()
        -async void OnConnectionToggleClicked()
    }

    class HttpEndpointUtility {
        +bool IsHttpLocalUrlAllowedForLaunch(string url, string error)
        +bool IsCurrentRemoteUrlAllowed(string error)
        +string GetLocalBaseUrl()
        +string GetHttpLocalHostRequirementText()
    }

    MCPForUnityEditorWindow --> McpAdvancedSection : creates
    MCPForUnityEditorWindow --> McpConnectionSection : creates
    McpAdvancedSection --> McpConnectionSection : OnHttpServerCommandUpdateRequested
    McpConnectionSection --> HttpEndpointUtility : URL policy checks

Loading

Updated class diagram for server management and transport policy integration

classDiagram
    class ServerManagementService {
        +bool StopLocalHttpServerInternal(bool quiet, int? portOverride, bool force)
        +bool IsLocalUrl()
        +bool CanStartLocalServer()
        -static bool IsLocalUrl(string url)
        -void ClearLocalServerPidTracking()
        -void DeletePidFile(string pidFilePath)
    }

    class IServerManagementService {
        <<interface>>
        +bool CanStartLocalServer()
    }

    class ServerCommandBuilder {
        +bool TryBuildCommand(string fileName, string arguments, string error)
        +string QuoteIfNeeded(string input)
    }

    class WebSocketTransportClient {
        +Task~bool~ StartAsync()
    }

    class HttpEndpointUtility {
        +bool IsLoopbackHost(string host)
        +bool IsBindAllInterfacesHost(string host)
        +bool IsHttpLocalUrlAllowedForLaunch(string url, string error)
        +bool IsCurrentRemoteUrlAllowed(string error)
        +string GetLocalBaseUrl()
    }

    class EditorConfigurationCache {
        <<singleton>>
        +EditorConfigurationCache Instance
        +bool UseHttpTransport
    }

    ServerManagementService ..|> IServerManagementService
    ServerManagementService --> HttpEndpointUtility : launch policy
    ServerCommandBuilder --> HttpEndpointUtility : validate HTTP Local URL
    WebSocketTransportClient --> HttpEndpointUtility : validate HTTP Remote URL
    ServerManagementService --> EditorConfigurationCache : checks UseHttpTransport

Loading

File-Level Changes

Change	Details	Files
Introduce centralized HTTP URL security policy helpers and safer normalization defaults for local vs remote endpoints.	Add AllowLanHttpBind and AllowInsecureRemoteHttp editor preference accessors and helper predicates for loopback and bind-all hosts. Implement IsHttpLocalUrlAllowedForLaunch, IsRemoteUrlAllowed, IsCurrentRemoteUrlAllowed, and GetHttpLocalHostRequirementText in HttpEndpointUtility. Change NormalizeBaseUrl to take a remoteScope flag and default schemes to https for remote URLs and http for local URLs. Update HttpEndpointUtility GetLocalBaseUrl/SaveLocalBaseUrl/GetRemoteBaseUrl/SaveRemoteBaseUrl call sites to pass remoteScope accordingly.	MCPForUnity/Editor/Helpers/HttpEndpointUtility.cs MCPForUnity/Editor/Constants/EditorPrefKeys.cs
Enforce HTTP security policy throughout connection and server launch UI flows, including tooltips and error dialogs.	Gate the main connection toggle by API key presence and remote/local URL policy checks with descriptive tooltips in McpConnectionSection.UpdateConnectionStatus. Use HttpEndpointUtility.IsHttpLocalUrlAllowedForLaunch to determine when to show and enable the local server command UI, including dynamic requirement text and error messaging. Block Start HTTP Server and Start Session actions when local/remote URLs violate policy, surfacing dialogs and log warnings. Ensure advanced HTTP security preference changes trigger both HTTP command and connection status updates from the Advanced section.	MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.cs MCPForUnity/Editor/Windows/MCPForUnityEditorWindow.cs
Wire new HTTP security preferences into the Advanced settings UI and editor tooling.	Add Allow LAN HTTP Bind and Allow Insecure Remote HTTP toggles in McpAdvancedSection with explanatory tooltips and value persistence via EditorPrefs. Have preference change callbacks update EditorPrefs and request HTTP server command/connection status refresh. Expose the new preferences in the generic EditorPrefsWindow map for inspection. Update the Advanced section UXML layout to include the new toggles.	MCPForUnity/Editor/Windows/Components/Advanced/McpAdvancedSection.cs MCPForUnity/Editor/Windows/Components/Advanced/McpAdvancedSection.uxml MCPForUnity/Editor/Windows/EditorPrefs/EditorPrefsWindow.cs
Align server management and command-building logic with new local URL policy and improve stale pidfile stop-server behavior.	Broaden ServerManagementService.IsLocalUrl to treat loopback and bind-all hosts as local using HttpEndpointUtility helper functions while leaving policy enforcement to HttpEndpointUtility. Change CanStartLocalServer to require HttpEndpointUtility.IsHttpLocalUrlAllowedForLaunch on the configured local base URL instead of simple locality checks. Update ServerCommandBuilder to use the new launch policy helper and surface detailed error messages when the URL is not allowed. Adjust StopLocalHttpServerInternal to treat pidfile entries whose PID no longer owns the listener as stale, clear tracking, and fall back to guarded port-based heuristics instead of failing closed.	MCPForUnity/Editor/Services/ServerManagementService.cs MCPForUnity/Editor/Services/Server/ServerCommandBuilder.cs
Apply HTTP remote URL policy in the WebSocket transport startup path.	Before establishing a WebSocket connection, check IsRemoteScope and validate the current remote URL against HttpEndpointUtility.IsCurrentRemoteUrlAllowed. On violation, set a disconnected transport state with a descriptive message and log an error instead of proceeding.	MCPForUnity/Editor/Services/Transport/Transports/WebSocketTransportClient.cs
Update and extend tests and documentation to cover new security behavior and defaults.	Extend ServerManagementService characterization tests to cover IPv6 loopback handling, LAN bind opt-in for HTTP Local, and remote/local URL security policy helpers. Adjust existing tests that assumed IPv6 loopback was not recognized as local. Document the new secure-by-default HTTP Local/Remote behavior and opt-in flags in the README Security section.	TestProjects/UnityMCPTests/Assets/Tests/EditMode/Services/Characterization/ServerManagementServiceCharacterizationTests.cs README.md

Possibly linked issues

• #N/A: Link: PR adds loopback-only local HTTP and HTTPS-by-default remote policies, mitigating the issue’s primary network security risks.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds editor security controls and enforcement for HTTP endpoints: two new EditorPrefs keys and UI toggles, extended HttpEndpointUtility host/URL policy checks, updated server management and transport startup flows to enforce local/remote HTTP policies, and corresponding unit tests and docs updates.

Changes

Cohort / File(s)	Summary
Constants & Docs MCPForUnity/Editor/Constants/EditorPrefKeys.cs, README.md	Add two new EditorPref keys (AllowLanHttpBind, AllowInsecureRemoteHttp) and document default fail-closed network behavior.
HTTP Endpoint Validation MCPForUnity/Editor/Helpers/HttpEndpointUtility.cs	Introduce remoteScope-aware URL normalization, loopback / bind-all detection, and public policy methods (AllowLanHttpBind, AllowInsecureRemoteHttp, IsHttpLocalUrlAllowedForLaunch, IsRemoteUrlAllowed, etc.).
Server Command & Management MCPForUnity/Editor/Services/Server/ServerCommandBuilder.cs, MCPForUnity/Editor/Services/ServerManagementService.cs, MCPForUnity/Editor/Services/IServerManagementService.cs	Replace in-file local URL checks with HttpEndpointUtility policy checks; change StopLocalHttpServerInternal to handle non-listener PIDs gracefully; tighten CanStartLocalServer to consult policy.
Transport Startup MCPForUnity/Editor/Services/Transport/Transports/WebSocketTransportClient.cs	Add early remote-URL policy validation on StartAsync to block insecure remote HTTP unless opted-in.
UI: Advanced & Connection Sections MCPForUnity/Editor/Windows/Components/Advanced/McpAdvancedSection.cs, .../McpAdvancedSection.uxml, MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.cs, MCPForUnity/Editor/Windows/MCPForUnityEditorWindow.cs	Add two toggles to Advanced UI, wire EditorPrefs persistence and callbacks, surface policy outcomes in connection/start-server button state and tooltips, and refresh connection status on server-command updates.
EditorPrefs Window MCPForUnity/Editor/Windows/EditorPrefs/EditorPrefsWindow.cs	Register the two new keys in knownPrefTypes so they appear as Bool prefs in the EditorPrefs UI.
Tests TestProjects/UnityMCPTests/.../ServerManagementServiceCharacterizationTests.cs	Add/adjust tests covering local/zero-bind cases, IPv4/IPv6 loopback forms, remote HTTPS defaulting, and opt-in behaviors; preserve/restore new EditorPrefs keys in setup/teardown.

Sequence Diagram(s)

sequenceDiagram
  participant UI as Editor UI
  participant Service as ServerManagementService
  participant Transport as WebSocketTransportClient
  participant Util as HttpEndpointUtility
  UI->>Service: request start local server (reads prefs & URL)
  Service->>Util: IsHttpLocalUrlAllowedForLaunch(localUrl)
  Util-->>Service: allowed / error
  alt allowed
    Service-->>UI: start server (proceed)
  else blocked
    Service-->>UI: show error dialog / tooltip
  end

  UI->>Transport: start connection
  Transport->>Util: IsCurrentRemoteUrlAllowed()
  Util-->>Transport: allowed / error
  alt allowed
    Transport-->>Service: proceed startup
  else blocked
    Transport-->>UI: set Disconnected + log error
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Project scoped tools #596: Adds other EditorPref constants to EditorPrefKeys; directly related to the new preference keys added here.
• fix: harden localhost resolution and reload transport resilience on Windows #688: Modifies HttpEndpointUtility and server/endpoint handling; overlaps with the new validation and normalization changes.
• fix: Multi-session UI improvements and HTTP instance recognition #517: Changes McpConnectionSection UI and start/connection flows; closely related to the UI and policy gating updates included in this PR.

Poem

🐰 I hop and check each host and port,

Loopback snug, while wild binds abort.
Toggles set, HTTPS takes flight,
Safe sessions start — a cozy night. ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.74% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: hardening HTTP defaults and improving server stop fallback behavior.
Description check	✅ Passed	The pull request description comprehensively covers all required template sections including summary, type of change (New feature/Enhancement), changes made, validation results, issue coverage, and documentation updates.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into beta

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

TestProjects/UnityMCPTests/Assets/Tests/EditMode/Services/Characterization/ServerManagementServiceCharacterizationTests.cs (1)

282-355: Comprehensive policy tests for the new HttpEndpointUtility surface.

Five tests covering:

• Remote URL scheme defaulting to HTTPS
• Remote HTTP blocked by default / allowed with opt-in
• Local bind-all blocked by default / allowed with opt-in

The assertions check both the boolean result and the error message content, which will catch regressions in both logic and user-facing messaging. Consider adding a test for IsRemoteUrlAllowed with an HTTPS URL to lock down the always-allowed happy path as well.

💡 Optional: Add an HTTPS happy-path test

+        [Test]
+        public void IsRemoteUrlAllowed_Https_AlwaysAllowed()
+        {
+            // Arrange
+            EditorPrefs.SetBool(EditorPrefKeys.AllowInsecureRemoteHttp, false);
+
+            // Act
+            bool allowed = HttpEndpointUtility.IsRemoteUrlAllowed("https://example.com:8080", out string error);
+
+            // Assert
+            Assert.IsTrue(allowed);
+            Assert.IsNull(error);
+        }

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The loopback/bind-all checks in HttpEndpointUtility.IsLoopbackHost / IsBindAllInterfacesHost rely on a small set of string literals; consider using IPAddress.TryParse plus IPAddress.IsLoopback / checking IPAddress.Any / IPv6Any to robustly handle equivalent representations and avoid edge cases around IPv6 formatting.
• There are several call sites that recompute HttpEndpointUtility.GetLocalBaseUrl() and then immediately call IsHttpLocalUrlAllowedForLaunch (e.g., in McpConnectionSection.UpdateHttpServerCommandDisplay, UpdateStartHttpButtonState, OnHttpServerToggleClicked); you could factor this into a small helper that returns (bool allowed, string error, string url) to reduce repetition and ensure consistent behavior/tooltips.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The loopback/bind-all checks in `HttpEndpointUtility.IsLoopbackHost` / `IsBindAllInterfacesHost` rely on a small set of string literals; consider using `IPAddress.TryParse` plus `IPAddress.IsLoopback` / checking `IPAddress.Any` / `IPv6Any` to robustly handle equivalent representations and avoid edge cases around IPv6 formatting.
- There are several call sites that recompute `HttpEndpointUtility.GetLocalBaseUrl()` and then immediately call `IsHttpLocalUrlAllowedForLaunch` (e.g., in `McpConnectionSection.UpdateHttpServerCommandDisplay`, `UpdateStartHttpButtonState`, `OnHttpServerToggleClicked`); you could factor this into a small helper that returns `(bool allowed, string error, string url)` to reduce repetition and ensure consistent behavior/tooltips.

## Individual Comments

### Comment 1
<location> `README.md:210` </location>
<code_context>
+
+Network defaults are intentionally fail-closed:
+* **HTTP Local** allows loopback-only hosts by default (`127.0.0.1`, `localhost`, `::1`).
+* Bind-all interfaces (`0.0.0.0`, `::`) requires explicit opt-in in **Advanced Settings** via **Allow LAN Bind (HTTP Local)**.
+* **HTTP Remote** requires `https://` by default.
+* Plaintext `http://` for remote endpoints requires explicit opt-in via **Allow Insecure Remote HTTP**.
</code_context>

<issue_to_address>
**suggestion (typo):** Consider changing "requires" to "require" to match the plural subject "interfaces".

Because "interfaces" is plural, the verb should also be plural: "Bind-all interfaces (`0.0.0.0`, `::`) require explicit opt-in in **Advanced Settings** via **Allow LAN Bind (HTTP Local)**."

```suggestion
* Bind-all interfaces (`0.0.0.0`, `::`) require explicit opt-in in **Advanced Settings** via **Allow LAN Bind (HTTP Local)**.
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}