From 29d4b756b9b4ae3d8b9b661ef2b1f64a7b2c7a0e Mon Sep 17 00:00:00 2001 From: Florian Vogt Date: Fri, 6 Mar 2026 08:37:41 +0100 Subject: [PATCH] docs: Add security notice to pages/Server.md Up-port of https://github.com/UI5/cli/pull/1319 --- internal/documentation/docs/pages/Server.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/internal/documentation/docs/pages/Server.md b/internal/documentation/docs/pages/Server.md index 0de4e561e46..f3dc2ed6865 100644 --- a/internal/documentation/docs/pages/Server.md +++ b/internal/documentation/docs/pages/Server.md @@ -10,6 +10,19 @@ import VPButton from "vitepress/dist/client/theme-default/components/VPButton.vu +::: warning Development Use Only +The UI5 Server is intended for **local development purposes only**. It must not be exposed to untrusted parties or used as a public-facing web server. + +The server does **not** implement safeguards against various network-based attacks — this is by design, as it is not meant to serve production traffic. + +Please be aware of the following risks when using the server: + +- **Custom middleware** from third parties can execute arbitrary code on your system and may introduce additional security vulnerabilities when the server is exposed to a network. +- **Proxy middleware** configured with credentials may enable unauthorized access to the target system for other parties on the same network. +- Using `--accept-remote-connections` makes the server reachable from all hosts on your network, which significantly increases the attack surface. + +::: + ## Standard Middleware All available standard middleware are listed below in the order of their execution. @@ -88,4 +101,4 @@ If Chrome unintentionally redirects an HTTP-URL to HTTPS, you need to delete the .no-decoration { text-decoration: inherit; } - \ No newline at end of file +