Option to secure metrics endpoint

[litetex]

Exposing the /metrics endpoint publicly (as is the currently the case) is not a good idea, since attackers could possibly get information from there.

Recommended solution:
Make it possible to secure the endpoint with authentification (e.g. Basic Auth) or/and make it possible to expose it on a different port

Related:
https://prometheus.io/docs/operating/security/

Therefore, the HTTP endpoints provided by Prometheus components should not be exposed to publicly accessible networks like the internet (unless you know what you are doing and have taken appropriate measures). This includes (but is not limited to) the /metrics endpoint of instrumented binaries ....

[p1gp1g]

Exposing /metrics is often not a good idea for common website since endpoints often contains some sensitive stuff. Just like having sensitive stuff in queries (path/params) is often not a good idea and like relying on these secret to do access control too.

With mollysocket, there is nothing sensitive in queries, and nothing sensitive in metrics. So, this does not apply here. If you are concerned with any information returned by the endpoint, you can restrict access with your reverse proxy

[litetex]

Having to disagree here a bit:

With mollysocket, there is nothing sensitive in queries, and nothing sensitive in metrics. So, this does not apply here

Well if I'm an attacker, I can utilize the metrics to see if my attacks work or not.

Also the endpoint is irrelevant for the normal user, so limiting it should be no problem.

If you are concerned with any information returned by the endpoint, you can restrict access with your reverse proxy

Yes, I already did that, however other people might not think about this immediately so having an option would be kind of nice :)

[p1gp1g]

What kind of attack would there be ? And honestly, anyone trying to do any "attack" on ms would do tests on their own instance, making this kind of check irrelevant don't you think ?