Open lothardp opened 1 year ago
Hey @lothardp! I can confirm that the /metrics
endpoint is available without authenticating, and I likewise suspect that this is not intended.
I'll discuss this with our team internally and update the issue shortly. Thanks for bringing this to our attention.
We are discussing internally and working on a solution for this. Thanks again for filing the issue!
In the meantime, (if possible) you might consider restricting public traffic to the data endpoints you require.
You're welcome, and thank you for your quick responses and the tip.
I have a connect server deployed in a different cloud service than my main app, so I am using Lets Encript to protect the communication from my app to the 1password connect server. I noticed that the
/metrics
endpoint in the server is publicly available, and it responds with information about the server. I am not sure if you (at 1Password) are aware of this, I don't think this is sensible information but I think it would be better if it wasn't public.