Open naresh-kumar-babu opened 2 months ago
Is this accessible to the general public? Or is it an internal route?
I'm guessing it's open to the public... but does it matter?
In theory, only synthetic monitors should have access to heartbeat endpoints, not the general public. It's best to find a way to prevent bad actors from being able to access this endpoint.
@vedmaka or @pastakhov - any thoughts on this? This came from your code. Is enabling /status and /ping a potential security issue, and if so, how can it be resolved?
I withdraw my concern as it seems like it's working just fine for WikiTeq over the past several months. We should ideally add an option for a firewall for these endpoints in the future. I'll go ahead and give my approval.
After discussion at the last meeting, we decided we should hold off on this until we have some clarity about adding a firewall if needed. Rescinding my approval for now. Sorry :(
Partial fix for #388