diff --git a/docs/security-best-practices.md b/docs/security-best-practices.md index a4bd7fdcb14..710d82f221a 100644 --- a/docs/security-best-practices.md +++ b/docs/security-best-practices.md @@ -148,9 +148,6 @@ receivers: Generally, `localhost`-like addresses should be preferred over the 0.0.0.0 address. For more information, see [CWE-1327](https://cwe.mitre.org/data/definitions/1327.html). -To change the default endpoint to be `localhost`-bound in all components, enable the `component.UseLocalHostAsDefaultHost` feature gate. This feature gate will be enabled by default in the Collector in a future release. - - If `localhost` resolves to a different IP due to your DNS settings then explicitly use the loopback IP instead: `127.0.0.1` for IPv4 or `::1` for IPv6. In IPv6 setups, ensure your system supports both IPv4 and IPv6 loopback addresses to avoid issues. Using `localhost` may not work in environments like Docker, Kubernetes, and other environments that have non-standard networking setups. We've documented a few working example setups for the OTLP receiver gRPC endpoint below, but other receivers and other Collector components may need similar configuration. @@ -324,4 +321,4 @@ Extensions may also be used to run subprocesses. This can be useful when collection mechanisms that cannot natively be run by the Collector (e.g. FluentBit). Subprocesses expose a completely separate attack vector that would depend on the subprocess itself. In general, care should be taken before -running any subprocesses alongside the Collector. \ No newline at end of file +running any subprocesses alongside the Collector. diff --git a/receiver/otlpreceiver/README.md b/receiver/otlpreceiver/README.md index 1f3f2c1d3e9..aab0d924148 100644 --- a/receiver/otlpreceiver/README.md +++ b/receiver/otlpreceiver/README.md @@ -40,9 +40,9 @@ The following settings are configurable: - `endpoint` (default = localhost:4317 for grpc protocol, localhost:4318 http protocol): host:port to which the receiver is going to receive data. The valid syntax is - described at https://github.com/grpc/grpc/blob/master/doc/naming.md. The - `component.UseLocalHostAsDefaultHost` feature gate changes these to localhost:4317 and - localhost:4318 respectively. This will become the default in a future release. + described at https://github.com/grpc/grpc/blob/master/doc/naming.md. See our + [security best practices doc](https://opentelemetry.io/docs/security/config-best-practices/#protect-against-denial-of-service-attacks) + to understand how to set the endpoint in different environments. ## Advanced Configuration