Add info about port binding controls

gavin-docker · gavin-docker · commit ad2999db445b · 2025-11-18T11:06:20.000Z
diff --git a/content/manuals/desktop/settings-and-maintenance/settings.md b/content/manuals/desktop/settings-and-maintenance/settings.md
@@ -315,6 +315,8 @@ On Windows and Mac, you can also set the default networking mode and DNS resolut
 
 On Mac, you can also select the **Use kernel networking for UDP** setting. This lets you use a more efficient kernel networking path for UDP. This may not be compatible with your VPN software.
 
+You can also define the behavior of port bindings. By default Docker Desktop binds all ports on containers to `0.0.0.0` on the host, though this can be overridden by providing a specific IP. You can change this default behavior by changing the **Port binding behavior** setting, allowing you to either bind to localhost (`127.0.0.1`) by default, or only allow containers to bind to localhost under any circumstances, even if requested otherwise.
+
 ### WSL Integration
 
 On Windows in WSL 2 mode, you can configure which WSL 2 distributions will have the Docker
@@ -534,4 +536,4 @@ Use the **Docker Offload** tab to:
 - Toggle **Enable Docker Offload**. When enabled, you can start Offload sessions.
 - Select **Idle timeout**. This is the duration of time between no activity and Docker Offload entering idle mode.For
   details about idle timeout, see [Active and idle states](../../offload/configuration.md#understand-active-and-idle-states)
-- Check **Enable GPU support**. When enabled, workloads can use cloud GPU if available.
+- Check **Enable GPU support**. When enabled, workloads can use cloud GPU if available.
diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md
@@ -239,6 +239,10 @@ The following sample is an `admin-settings.json` file with common enterprise set
   "enableInferenceGPUVariant": {
     "locked": true,
     "value": true
+  },
+  "portBindingBehavior": {
+    "locked": true,
+    "value": "default-port-binding"
   }
 }
 ```
@@ -357,6 +361,7 @@ The following tables describe all available settings in the `admin-settings.json
 |:-------------------------------|---|:-------------------------------|---|
 | `defaultNetworkingMode` | Windows and Mac only | Defines the default IP protocol for new Docker networks: `dual-stack` (IPv4 + IPv6, default), `ipv4only`, or `ipv6only`. | Docker Desktop version 4.43 and later. |
 | `dnsInhibition` | Windows and Mac only | Controls DNS record filtering returned to containers. Options: `auto` (recommended), `ipv4`, `ipv6`, `none`| Docker Desktop version 4.43 and later. |
+| `portBindingBehavior` | Linux-based containers only | Defines port binding restrictions and default behavior, allowing admins to control how a user exposes ports from their containers. Options: `default-port-binding`, `default-local-port-binding`, `local-only-port-binding` | Docker Desktop version 4.52 and later. |
 
 For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows).
 
