Security Concern

[zidokobik]

Wouldn't exposing the metrics endpoint with the main app a bad security practice. Maybe add HTTP Basic authentication ?

[0xecute]

Totally agree. HTTP basic auth or IP whitelisting

[trallnag]

Hi, I would not consider is a bad security practice. It really depends on the architecture of your application. For example you could have an ingress like Traefik or Nginx in front of the API that handles everything related to authentication and authorization.

It is just not this packages responsibility to authenticate requests. This is the regular approach, I'd argue. For example the official prometheus client library for Python does not mention authentication in their documentation here. And prometheus flask exporter relies on external authentication via decorator, see here.

So I am not sure if I want to add this. It opens a whole can of worms

Alternatives that work without adding this feature:

• Adding a middleware to the app that enforces HTTP basic auth.
• Not using expose() and instead writing the endpoint yourself.
• Getting the app with the metrics endpoint from the prometheus client lib and adding middleware for authentication there.

On the other side prometheus-fastapi-instrumentator already has many (too many) knobs, handles, feature flags... So one more parameter makes it just a little worse.

[aovasylenko]

@trallnag did you consider example/tools to run metrics on a separate port?