Open zidokobik opened 8 months ago
Totally agree. HTTP basic auth or IP whitelisting
Hi, I would not consider is a bad security practice. It really depends on the architecture of your application. For example you could have an ingress like Traefik or Nginx in front of the API that handles everything related to authentication and authorization.
It is just not this packages responsibility to authenticate requests. This is the regular approach, I'd argue. For example the official prometheus client library for Python does not mention authentication in their documentation here. And prometheus flask exporter relies on external authentication via decorator, see here.
So I am not sure if I want to add this. It opens a whole can of worms
Alternatives that work without adding this feature:
expose()
and instead writing the endpoint yourself.On the other side prometheus-fastapi-instrumentator already has many (too many) knobs, handles, feature flags... So one more parameter makes it just a little worse.
@trallnag did you consider example/tools to run metrics on a separate port?
Wouldn't exposing the metrics endpoint with the main app a bad security practice. Maybe add HTTP Basic authentication ?