Add a note on the secure attribute of the endpoints in both the meta.…

…yml (#1075)

and devfile about the assumptions made to make it really secure.

src/main/pages/che-7/end-user-guide/ref_che-theia-plug-in-metadata.adoc

@@ -83,10 +83,10 @@ The link:https://github.com/eclipse/che-plugin-registry/tree/master/v3/plugins[c
 
 .`spec.endpoints.attributes` attributes
 :===
-`protocol`: Protocol, example: `ws`
+`protocol`: Protocol, example\: `ws`
 `type`: `ide`, `ide-dev`
 `discoverable`: `true`, `false`
-`secure`: `true`, `false`
+`secure`: `true`, `false`. If `true` the endpoint is assumed to listen solely on `127.0.0.1` and is exposed using a JWT proxy.
 `cookiesAuthEnabled`: `true`, `false`
 :===
 

src/main/pages/che-7/end-user-guide/ref_devfile-reference.adoc

@@ -502,7 +502,9 @@ Here, there are two dockerimages, each defining a single endpoint. Endpoint is a
 
 * `protocol`: For public endpoints the protocol is a hint to the UI on how to construct the URL for the endpoint access. Typical values are `http`, `https`, `ws`, `wss`.
 
-* `secure`: A boolean (defaulting to `false`) specifying whether the endpoint is put behind a JWT proxy requiring a JWT workspace token to grant access.
+* `secure`: A boolean (defaulting to `false`) specifying whether the endpoint is put behind a JWT proxy requiring a JWT workspace token to grant access. The JWT proxy is deployed in the same pod as the server and assumes the server listens solely on the local loopback interface (i.e. the `127.0.0.1` address).
++
+WARNING: Listening on any other interface than the local loopback poses a security risk, because such server will be accessible without the JWT authentication within the cluster network on the corresponding IP addresses.
 
 * `path`: The URL of the endpoint