From 97325598642677898c10f7c127184b0501ed2727 Mon Sep 17 00:00:00 2001
From: Teknium <127238744+teknium1@users.noreply.github.com>
Date: Sun, 24 May 2026 04:24:40 -0700
Subject: [PATCH] fix(security): restrict dashboard websockets to loopback
 clients (#30741)

---
 hermes_cli/web_server.py | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/hermes_cli/web_server.py b/hermes_cli/web_server.py
index d5d319dda..bf94f0cea 100644
--- a/hermes_cli/web_server.py
+++ b/hermes_cli/web_server.py
@@ -3296,19 +3296,11 @@ _VALID_CHANNEL_RE = re.compile(r"^[A-Za-z0-9._-]{1,128}$")
 _LOOPBACK_HOSTS = frozenset({"127.0.0.1", "::1", "localhost", "testclient"})
 
 
-def _is_public_bind() -> bool:
-    """True when bound to all-interfaces (operator used --insecure)."""
-    return getattr(app.state, "bound_host", "") in {"0.0.0.0", "::"}
-
-
 def _ws_client_is_allowed(ws: "WebSocket") -> bool:
     """Check if the WebSocket client IP is acceptable.
 
-    Allows loopback always; allows any IP when bound to all-interfaces
-    (--insecure mode, guarded by session token auth).
+    Allows loopback clients only.
     """
-    if _is_public_bind():
-        return True
     client_host = ws.client.host if ws.client else ""
     if not client_host:
         return True