From 11e86776167826ebd789e77d873ff6ea42030b1b Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <me@tylerleonhardt.com>
Date: Mon, 26 Aug 2024 10:11:55 -0700
Subject: [PATCH] Use 127.0.0.1 when spinning up local loopback server (#7268)

1. Security: 127.0.0.1 binds the server to the local machine only,
making it inaccessible from external networks. 0.0.0.0 binds the server
to all available network interfaces, potentially exposing it to external
access.
2. Performance: Binding to 127.0.0.1 can be more efficient as it
restricts traffic to the local machine, avoiding unnecessary network
overhead.
3. Simplicity: Using 127.0.0.1 ensures that only local applications can
connect, simplifying debugging and reducing the risk of unintended
access.
---
 ...ure-msal-node-234bf880-8502-4a8e-8755-b58175525b0c.json | 7 +++++++
 lib/msal-node/src/network/LoopbackClient.ts                | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 change/@azure-msal-node-234bf880-8502-4a8e-8755-b58175525b0c.json

diff --git a/change/@azure-msal-node-234bf880-8502-4a8e-8755-b58175525b0c.json b/change/@azure-msal-node-234bf880-8502-4a8e-8755-b58175525b0c.json
new file mode 100644
index 0000000000..188473a06f
--- /dev/null
+++ b/change/@azure-msal-node-234bf880-8502-4a8e-8755-b58175525b0c.json
@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Use '127.0.0.1' for the host when spinning up local loopback server",
+  "packageName": "@azure/msal-node",
+  "email": "tyleonha@microsoft.com",
+  "dependentChangeType": "patch"
+}
diff --git a/lib/msal-node/src/network/LoopbackClient.ts b/lib/msal-node/src/network/LoopbackClient.ts
index f3eb9a6a86..734d9e14d9 100644
--- a/lib/msal-node/src/network/LoopbackClient.ts
+++ b/lib/msal-node/src/network/LoopbackClient.ts
@@ -74,7 +74,7 @@ export class LoopbackClient implements ILoopbackClient {
                         resolve(authCodeResponse);
                     }
                 );
-                this.server.listen(0); // Listen on any available port
+                this.server.listen(0, '127.0.0.1'); // Listen on any available port
             }
         );
     }