Its documented, but still extremely surprising even for experienced docker users. The only place you will read about this is is you actually go to the docs page for the `-p` flag. But as I've said before, why would I do that? I already know what `-p` does (spoiler: I didn't know what it did).

It was multiple years before I realized I was exposing my services like this, after it came up on HN a while back.

I am not saying that this does not suck. I was a victim of this as well. I am just saying that it isn't really negligence, just bad architecture.

Right, but theres bad architecture and then theres "this is a security risk and every tutorial in the wild + every app in production uses this in an insecure way and we haven't done anything about it".

I just realized I posted my thoughts on this github issue [1] which is now _six_ years old. There have been no updates / changes made as far as I can tell.

[1] - https://github.com/moby/moby/issues/22054

Mhh good point. I guess if you keep bad architecture long enough it becomes negligence.

There was some site that got pawned because of this last year or so, I forgot the name but the owner did a nice write-up of it and there's a long HN thread on it. There were many experienced Docker users – often using it daily in a business setting – that were not aware of this "feature".

Yes, you can document it somewhere, but 1) not everyone reads everything from cover-to-cover, and 2) even if you do, the real-world implications may not be immediately obvious (the way it was phrased, at the time, didn't make it obvious).

Probably thinking of NewsBlur. I know because the fallout from that is what this brought the issue to my attention in the first place. It was 5 years since a public issue was opened at that point, and has been a year since that story, and still nothing has changed.

Ah yes, that's the one; thank you.

That is why you usually secure your stuff by a hardware (or separate) firewall.

But I too found this feature weird when I found out about it.