fix: bind telnet and web client to localhost only (#9)

Security fix: Change from 0.0.0.0 to 127.0.0.1 for both TELNET_INTERFACES
and WEBSERVER_INTERFACES. Prevents unauthorized external access.

Added docs/SECURITY.md with:
- TLS setup instructions (nginx, caddy)
- SSH tunnel for development
- Firewall rules if external access needed

Closes #9.

server/conf/settings.py

@@ -35,7 +35,7 @@ from evennia.settings_default import *
 SERVERNAME = "Timmy Academy - The Wizard's Canon"
 
 ######################################################################
-# Connection settings for fleet access
+# Connection settings
 ######################################################################
 
 # Telnet port (standard MUD)
@@ -44,9 +44,15 @@ TELNET_PORTS = [4000]
 # Web client port
 WEBSERVER_PORTS = [(4001, 4005)]
 
-# Allow external connections (0.0.0.0 listens on all interfaces)
-TELNET_INTERFACES = ['0.0.0.0']
-WEBSERVER_INTERFACES = ['0.0.0.0']
+# Bind to localhost only for security.
+# For external access, use a reverse proxy (nginx/caddy) with TLS.
+# See docs/SECURITY.md for TLS setup instructions.
+TELNET_INTERFACES = ['127.0.0.1']
+WEBSERVER_INTERFACES = ['127.0.0.1']
+
+# To allow external connections (NOT RECOMMENDED without TLS):
+# TELNET_INTERFACES = ['0.0.0.0']
+# WEBSERVER_INTERFACES = ['0.0.0.0']
 
 # Web client enabled
 WEBSERVER_ENABLED = True