Secure internal-backstage endpoints #561
Assignees
Labels
enhancement
New feature or request
Comments
|
Thanks for opening the issue 👍 |
|
So, as a work around for now, in 19.6.1 each endpoint has a toggle to turn it off. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature request
I would like Edge to hide internal-backstage endpoints by default (except health/ready).
Background
Currently we expose quite a few details in our /internal-backstage urls
/internal-backstage/metrics
/internal-backstage/features
/internal-backstage/tokens
/internal-backstage/metricsbatch
In Unleash's loadbalanced setup, we always block public access to URLs containing /internal-backstage. But not all users of Edge will have our loadbalancer setup.
Solution suggestions
I'd like us to by default not mount the internal-backstage endpoints.
Preferably we'd have a way to setup basic auth for the internal-backstage endpoints, or alternately (for Unleash's sake) a switch turning them all on.
The text was updated successfully, but these errors were encountered: