Security considerations for metrics

dotnet · Oct 3, 2024 · 07556cf · 07556cf
1 parent 04fe2c4
commit 07556cf
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/documentation/configuration/metrics-configuration.md b/documentation/configuration/metrics-configuration.md
@@ -1,5 +1,8 @@
 # Metrics Configuration
 
+> [!IMPORTANT]
+> See [Security Considerations](../security-considerations.md#prometheus-metrics) for important information regarding security for the metrics endpoint.
+
 ## Default Providers
 
 The `/metrics` route (and starting in 8.0, the `/livemetrics` route and `CollectLiveMetrics` actions) will collect metrics from the default providers. The default providers are:

diff --git a/documentation/security-considerations.md b/documentation/security-considerations.md
@@ -33,4 +33,6 @@ $env:Egress__AzureBlobStorage__monitorBlob__AccountKey = "accountKey"; dotnet-mo
 
 For Kubernetes, a preferred alternative is to mount your secrets in the file system with restricted access - for more information and an example of how to do this, view the [Kubernetes documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume). For additional information on how secrets work in Kubernetes, view the following [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret).
 
-## Item 3
+## Prometheus metrics
+
+By default, dotnet-monitor exposes [Prometheus](https://prometheus.io/docs/introduction/overview) metrics using http with an unauthenticated endpoint. This is to support the default [scraping configuration](https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-prometheus-logs?tabs=pod#tabpanel_1_pod). If your application contains custom metrics or tags, ensure that no sensitive data is being emitted in your metrics.