Require authorization for both endpoint and UI

[aleksvujic]

I checked sample for Health Checks UI and found out that only UI requires authorization, while the endpoint is unprotected. Was this done on purpose? Why would you protect the UI if the endpoint is unprotected? If you open endpoint URL directly, all the data is available there without the need for authorization. This concerns me from the security perspective.

Requiring authorization for both the endpoint and for the UI will crash the UI:

app.MapHealthChecks("/health", new HealthCheckOptions
{
    Predicate = _ => true,
    ResponseWriter = UIResponseWriter.WriteHealthCheckUIResponse,
}).RequireAuthorization();

app.MapHealthChecksUI()
    .RequireAuthorization();

returns:

Unexpected character encountered while parsing value: <. Path '', line 0, position 0.

How to protect both user interface AND endpoints?

[normandev92]

Yes I agree with this, It doesn't look like you can attach a bearer token whenever the separate HealthChecksUI souce code makes a request to any protected healthchecks api end point as far as i could see. As a result, the U.I might not be considered fit for purpose for some.