AspNetCore.Diagnostics.HealthChecks icon indicating copy to clipboard operation
AspNetCore.Diagnostics.HealthChecks copied to clipboard

Published 20 hours ago verified publisher icon Xabaril

Require authorization for both endpoint and UI

Open aleksvujic opened this issue 2 years ago • 0 comments

I checked sample for Health Checks UI and found out that only UI requires authorization, while the endpoint is unprotected. Was this done on purpose? Why would you protect the UI if the endpoint is unprotected? If you open endpoint URL directly, all the data is available there without the need for authorization. This concerns me from the security perspective.

Requiring authorization for both the endpoint and for the UI will crash the UI:

app.MapHealthChecks("/health", new HealthCheckOptions
{
    Predicate = _ => true,
    ResponseWriter = UIResponseWriter.WriteHealthCheckUIResponse,
}).RequireAuthorization();

app.MapHealthChecksUI()
    .RequireAuthorization();

returns:

Unexpected character encountered while parsing value: <. Path '', line 0, position 0.

How to protect both user interface AND endpoints?

aleksvujic avatar Aug 08 '22 11:08 aleksvujic