Cisco does recommend disabling the HTTP Server feature on any Cisco IOS XE systems that are internet-facing. The advisory provides steps on how to disable the feature as well as steps on how to determine if the HTTP Server feature is enabled. Additionally, the Cisco security advisory outlines an additional command to run after disabling the HTTP Server feature, to ensure that the feature is not re-enabled after a system reload.
So yeah, maybe not widen your attack surface to the whole fucking internet in the first place.
Indeed, from a tenable article:
So yeah, maybe not widen your attack surface to the whole fucking internet in the first place.