Unable to block port access

My query is regarding the ‘expose’ port option in the docker-compose. As per documentation this will only expose the port within the docker network and external applications running in the host machine will not be able to access this.

But I am finding that this assumption is not true and we can access this port if used with the IP address of the container instead of localhost.

The sample docker-compose.yml looks like below:

version: ‘3’

services:

  httpserver:
    hostname: httpserver
    build:
      context: .
    command: bash -c "/etc/init.d/apache2 start ; sleep 100000"
    expose:
      - 80

After starting this up, if I use : wget http://localhost:80 it doesn’t work.
But if I give : wget http://172.19.0.2:80 where 172.19.0.2 is the docker assigned IP address, it works and gets the index page.

The Dockerfile is

FROM debian
EXPOSE 80
RUN apt-get update; apt-get install -y apache2

I would like to understand if there is a way to block this port so that it is accessible only to containers within the compose and not accessible to other applications running in the host machine.