connect icon indicating copy to clipboard operation
connect copied to clipboard
verified publisher icon 1Password

/metrics endpoint exposed

Open lothardp opened this issue 3 years ago • 3 comments

I have a connect server deployed in a different cloud service than my main app, so I am using Lets Encript to protect the communication from my app to the 1password connect server. I noticed that the /metrics endpoint in the server is publicly available, and it responds with information about the server. I am not sure if you (at 1Password) are aware of this, I don't think this is sensible information but I think it would be better if it wasn't public.

lothardp avatar Sep 28 '22 16:09 lothardp

Hey @lothardp! I can confirm that the /metrics endpoint is available without authenticating, and I likewise suspect that this is not intended.

I'll discuss this with our team internally and update the issue shortly. Thanks for bringing this to our attention.

ag-adampike avatar Sep 28 '22 20:09 ag-adampike

We are discussing internally and working on a solution for this. Thanks again for filing the issue!

In the meantime, (if possible) you might consider restricting public traffic to the data endpoints you require.

ag-adampike avatar Sep 29 '22 12:09 ag-adampike

You're welcome, and thank you for your quick responses and the tip.

lothardp avatar Sep 29 '22 15:09 lothardp