alt Hacker NewsYou're relying on everyone in the world to set things up in a way that provides defense in depth. Not everyone is going to do that.
Which means there's going to be a lot of cases where people don't do the safe thing.
Especially, as other's have said, in the case of MCP servers, where the spec mandates exposed oauth.
The saving grace here is that people are most commonly doing this for reasons other than as a defense - serving static files efficiently, combining multiple services, caching, DDoS protection, etc. There are certainly some directly exposed FastAPI instances but it’s been against the grain for decades.