prometheus-fastapi-instrumentator icon indicating copy to clipboard operation
prometheus-fastapi-instrumentator copied to clipboard

Published 20 hours ago verified publisher icon trallnag

Security Concern

Open zidokobik opened this issue 1 year ago • 3 comments

Wouldn't exposing the metrics endpoint with the main app a bad security practice. Maybe add HTTP Basic authentication ?

zidokobik avatar Feb 10 '24 05:02 zidokobik

Totally agree. HTTP basic auth or IP whitelisting

0xecute avatar Feb 24 '24 10:02 0xecute

Hi, I would not consider is a bad security practice. It really depends on the architecture of your application. For example you could have an ingress like Traefik or Nginx in front of the API that handles everything related to authentication and authorization.

It is just not this packages responsibility to authenticate requests. This is the regular approach, I'd argue. For example the official prometheus client library for Python does not mention authentication in their documentation here. And prometheus flask exporter relies on external authentication via decorator, see here.

So I am not sure if I want to add this. It opens a whole can of worms

Alternatives that work without adding this feature:

  • Adding a middleware to the app that enforces HTTP basic auth.
  • Not using expose() and instead writing the endpoint yourself.
  • Getting the app with the metrics endpoint from the prometheus client lib and adding middleware for authentication there.

On the other side prometheus-fastapi-instrumentator already has many (too many) knobs, handles, feature flags... So one more parameter makes it just a little worse.

trallnag avatar Mar 12 '24 21:03 trallnag

@trallnag did you consider example/tools to run metrics on a separate port?

aovasylenko avatar Apr 10 '24 12:04 aovasylenko