client_python icon indicating copy to clipboard operation
client_python copied to clipboard
verified publisher icon prometheus

Reject invalid HTTP methods and resources

Open andy-maier opened this issue 1 year ago • 0 comments

This change addresses issue #1018 (currently, any HTTP method is handled by returning success and metrics data, which causes network scanners to report issues).

Note, this needs careful review w.r.t.:

  • Does Prometheus issue any HTTP requests that are now rejected.
  • Does HEAD need to be supported.
  • Does the /metrics resource for which metrics are returned, need to be configurable by the users of this package.
  • Does the strict handling need to be enabled/disabled by the users of this package.
  • Are unit tests needed.

Note, the pinning of asgiref==3.6.0 removes a test error in the py3.8 tox environment (same fix that already existed for the pypy3.8 tox environment). I don't know why the error on py3.8 comes up in the first place. I guess someone more experienced than me needs to look at that.

For details, see the commit message.

andy-maier avatar Mar 30 '24 05:03 andy-maier