[metrics] change in security shield

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[metrics] change in security shield

Romain Manni-Bucau
Hi all


My last comment requires some discussion I think but since pr is not from G itself, I dont want to wait too long before getting it in.

Personally, I'd be tempted to add an event fired only if there is an observer and enhance the doc for meecrowave/tomee/tomcat + support ranges with a warning saying it is not recommended but I also get the easiness to not need to observe the event.

Main point is to ensure only the monitor (prometheus or equivalent) can call the metrics endpoint since some sensitive - or even pii - data can be there.

Romain