> We don't do this because it's a performance hog and we assume you're already reverse proxying behind any responsible front-end server
What application servers have you written? I have never seen an application server readme say DON'T EXPOSE DIRECTLY TO THE INTERNET, WE ASSUME YOU USE REVERSE PROXY.
Most of them have a disclaimer in their deployment or tutorial docs, some with more strong language than others. Again, nothing bad happens if you don't, we don't write memory vulnerabilities into these servers. You are just far more vulnerable to DOS attacks.
* "We strongly recommend using Guincorn behind a proxy server" [1]
* "As a general rule, you probably want to: ... run behind Nginx for self-hosted deployments." [2]
* "A reverse proxy such as nginx or Apache httpd should be used in front of Waitress." [3]
For some, like uWSGI, they don't even want to talk HTTP (uWSGI supports its own protocol) and it's just assumed you're using a dedicated webserver to talk to public traffic. [4]
What application servers have you written? I have never seen an application server readme say DON'T EXPOSE DIRECTLY TO THE INTERNET, WE ASSUME YOU USE REVERSE PROXY.