From 15d4738fb58bd29a8af03774cbac1108f099c161 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 26 Jan 2026 13:30:29 +0000
Subject: [PATCH] fix: default mDNS discovery mode to minimal (#1882) (thanks
 @orlyjamie)

---
 CHANGELOG.md               | 1 +
 src/gateway/server.impl.ts | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 668a91823..ce6007b78 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,7 @@ Status: unreleased.
 
 ### Fixes
 - Security: harden Tailscale Serve auth by validating identity via local tailscaled before trusting headers.
+- Security: add mDNS discovery mode with minimal default to reduce information disclosure. (#1882) Thanks @orlyjamie.
 - Web UI: improve WebChat image paste previews and allow image-only sends. (#1925) Thanks @smartprogrammer93.
 - Gateway: default auth now fail-closed (token/password required; Tailscale Serve identity remains allowed).
 
diff --git a/src/gateway/server.impl.ts b/src/gateway/server.impl.ts
index 81e35c56e..7435ed1a7 100644
--- a/src/gateway/server.impl.ts
+++ b/src/gateway/server.impl.ts
@@ -352,7 +352,6 @@ export async function startGatewayServer(
       : undefined,
     wideAreaDiscoveryEnabled: cfgAtStart.discovery?.wideArea?.enabled === true,
     tailscaleMode,
-    tailscaleMode,
     mdnsMode: cfgAtStart.discovery?.mdns?.mode,
     logDiscovery,
   });