Description

The default listen_addr in internal/config/config.go is set to ":43654", which in Go's net package binds to 0.0.0.0 (all network interfaces). This means the HTTP API is reachable by any device on the local network.

Since the HTTP endpoints have no authentication, anyone on the same network can:

• Search the user's filesystem via GET /search?q=<term> — returning full file paths, match locations, and indexed content
• Trigger a full reindex via POST /reindex or POST /sync, causing CPU/IO load
• Start/stop the file watcher via POST /watch/start and POST /watch/stop
• View index statistics via GET /stats

This is a local desktop search daemon — there's no remote access, multi-device sync, or any feature that would require network-wide binding. The CLI client already communicates over Unix sockets, so the HTTP server is only needed for the local REST API.

Steps to reproduce

1. Install dsearch and start the daemon with default config (listen_addr = ":43654")
2. From another device on the same network (tested with a Docker container on the Docker bridge network):

   curl "http://<host-ip>:43654/search?q=password&limit=3"
   

3. Full file paths from the user's home directory are returned without any authentication, e.g.:

   {"hits":[{"id":"/home/user/.cache/danksearch/index","id":"/home/user/path/to/passwords.txt","score":4.39,...}],"total_hits":9287,...}

Expected behavior

The default listen_addr should be "127.0.0.1:43654" so the HTTP server is only reachable from localhost.

Suggested fix

In internal/config/config.go:

// Change from:
ListenAddr: ":43654",

// To:
ListenAddr: "127.0.0.1:43654",

And update config.example.toml accordingly:

listen_addr = "127.0.0.1:43654"

Users who explicitly want network access can always override this in their config.