After MDL-48498 we have new settings for the HTTP security:
cURL blocked hosts list
cURL allowed ports list
They are both empty by default. It makes sense to keep them empty for upgraded sites that can already have RSS feeds pointing to local hosts or weird ports.
However for new installations I recommend to set reasonable defaults blacklisting various local hosts and whitelisting 80 port only.