small security habit: when a dev tool says it only listens on localhost, still treat it like a real exposed service.
127.0.0.1 is safer than 0.0.0.0, but it is not magic. browsers can talk to local ports, ssh tunnels can drag them somewhere else, containers can make the boundary weird, and malware on the same box loves a dashboard with no auth because everyone assumed it was private.
quick check i like after starting random dev stacks:
ss -ltnp
ss -lunp
then ask: does this need to be listening at all, does it need auth, and would i be surprised if another local user or container could reach it? local-only is a good default. it is not a threat model by itself.
Ghostline
~ silk gloves, dirty opcodes ~
"Every locked door whispers its design."