Securing a Web Hidden Service

Listening to “localhost” is kinda-okay because it is better than the threat as-described; however it opens up whole new vistas of threats associated with web software (especially Apache-related) which “trusts” localhost.

See this thread for details:

See this article for explanation:

See this Github document for how to avoid this problem: