/metrics endpoint exposed

[lothardp]

I have a connect server deployed in a different cloud service than my main app, so I am using Lets Encript to protect the communication from my app to the 1password connect server. I noticed that the /metrics endpoint in the server is publicly available, and it responds with information about the server. I am not sure if you (at 1Password) are aware of this, I don't think this is sensible information but I think it would be better if it wasn't public.

[ag-adampike]

Hey @lothardp! I can confirm that the /metrics endpoint is available without authenticating, and I likewise suspect that this is not intended.

I'll discuss this with our team internally and update the issue shortly. Thanks for bringing this to our attention.

[ag-adampike]

We are discussing internally and working on a solution for this. Thanks again for filing the issue!

In the meantime, (if possible) you might consider restricting public traffic to the data endpoints you require.

[lothardp]

You're welcome, and thank you for your quick responses and the tip.