Prevent external hosts from accessing the collection API directly (#1208)

Ndpnt · web-flow · commit 28416714a056 · 2025-11-24T14:15:23.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 All changes that impact users of this module are documented in this file, in the [Common Changelog](https://common-changelog.org) format with some additional specifications defined in the CONTRIBUTING file. This codebase adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased [patch]
+
+> Development of this release was supported by the [French Ministry for Foreign Affairs](https://www.diplomatie.gouv.fr/fr/politique-etrangere-de-la-france/diplomatie-numerique/) through its ministerial [State Startups incubator](https://beta.gouv.fr/startups/open-terms-archive.html) under the aegis of the Ambassador for Digital Affairs.
+
+### Fixed
+
+- Prevent external hosts from accessing the collection API directly
+
 ## 10.0.0 - 2025-11-20
 
 _Full changeset and discussions: [#1207](https://github.com/OpenTermsArchive/engine/pull/1207)._
diff --git a/src/collection-api/server.js b/src/collection-api/server.js
@@ -19,7 +19,7 @@ app.use(errorsMiddleware);
 
 const port = config.get('@opentermsarchive/engine.collection-api.port');
 
-app.listen(port);
+app.listen(port, '127.0.0.1');
 
 if (process.env.NODE_ENV !== 'test') {
   logger.info(`Start Open Terms Archive API on http://localhost:${port}${BASE_PATH}`);
