---
title: Server binds to all network interfaces
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Server binds to all network interfaces
---

# Server binds to all network interfaces

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `rust-security/bind-all-interfaces`

**Language:** Rust

**Severity:** Warning

**Category:** Security

**CWE**: [1327](https://cwe.mitre.org/data/definitions/1327.html)

## Description{% #description %}

Binding a server to `0.0.0.0` (or `[::]` for IPv6) exposes it on every available network interface, including public ones. This is a common misconfiguration in containerized Rust services and the default in many tutorials. Bind to a specific interface (e.g. `127.0.0.1` for local-only access, or a private interface address) unless the service is intentionally public.

#### Learn More{% #learn-more %}

- [CWE-1327: Binding to an Unrestricted IP Address](https://cwe.mitre.org/data/definitions/1327.html)

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```rust
use std::net::{TcpListener, SocketAddr, SocketAddrV4, SocketAddrV6, Ipv4Addr, Ipv6Addr};
use tokio::net::TcpListener as TokioListener;
use actix_web::HttpServer;

async fn bad() -> std::io::Result<()> {
    // std bind to all IPv4 interfaces
    let _ = TcpListener::bind("0.0.0.0:8080")?;

    // tokio bind to all IPv4 interfaces
    let _ = TokioListener::bind("0.0.0.0:3000").await?;

    // actix-web .bind() chain
    let _ = HttpServer::new(|| ()).bind("0.0.0.0:3001")?;

    // IPv6 unspecified
    let _ = TcpListener::bind("[::]:50051")?;

    // raw string literal still matches
    let _ = TcpListener::bind(r"0.0.0.0:9000")?;

    // tonic parse-then-bind idiom
    let _addr: SocketAddr = "0.0.0.0:50051".parse().unwrap();

    // Programmatic construction via UNSPECIFIED constants
    let _v4 = SocketAddrV4::new(Ipv4Addr::UNSPECIFIED, 7000);
    let _v6 = SocketAddrV6::new(std::net::Ipv6Addr::UNSPECIFIED, 7001, 0, 0);

    Ok(())
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```rust
use std::net::{TcpListener, SocketAddr, SocketAddrV4, Ipv4Addr};

fn ok() -> std::io::Result<()> {
    // Loopback (local only)
    let _ = TcpListener::bind("127.0.0.1:8080")?;
    let _ = TcpListener::bind("[::1]:8080")?;

    // Specific internal interface
    let _ = TcpListener::bind("192.168.1.10:9000")?;

    // Parsed as SocketAddr but to loopback
    let _addr: SocketAddr = "127.0.0.1:9000".parse().unwrap();

    // Localhost constant — must not match (predicate filters UNSPECIFIED)
    let _addr = SocketAddrV4::new(Ipv4Addr::LOCALHOST, 7000);

    // Non-bind method that happens to take a 0.0.0.0 string — must not match
    let _ = parse_address("0.0.0.0:8080");

    Ok(())
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}