restview listens on loopback only by default, for security reasons. This is insufficient: see https://en.wikipedia.org/wiki/DNS_rebinding.

The fix is to validate the Host header in HTTP requests. If it's set to localhost or 127.0.0.1 (or localhost6? or ::1? do browsers send ::1 or [::1] for ipv6?), allow; otherwise deny.

Note that the Host header may also include the port number after a :.

Note that domain names might have a trailing dot (e.g. localhost.).

Note that localhost has many IPv4 addresses (127.x.x.x), although I think nothing will break if I reject them. Then again, the Host header would not be a pure IP address if a DNS rebinding attack took place (and, e.g., the patch for Transmission allows all Host headers that are pure IP addresses).

This filtering should be off if you explicitly ask for a public server via -l *:8080.