-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dropwizard-healthcheck exposes too much information on public port #7072
Comments
Unless I’m mistaken, healthchecks are only available on the admin port. So unless you’re using something like the |
I run DW with a pretty heavily-customized set of dependencies so I wasn't 100% sure about myself, but I went ahead and created a new project using the mvn archetype command, and it's definitely exposing the healthcheck names on the primary port:
Sample project: https://github.com/markjeffreymiller/helloplanet |
Prior to Dropwizard 2.1, the healthcheck JSON output (from
io.dropwizard.modules:dropwizard-health
) was limited to pretty much a boolean output ("healthy" or "unhealthy").With 2.1, the JSON response (when requested with
/health-check?name=all
) gives a fine-grained status for each upstream service, and it does so on the public port.This seems slightly dangerous to me from both a security and privacy perspective. Take for instance a situation like the following, where we are leaking to the public that the service uses a specific database (security), AND that there's likely a major product announcement forthcoming (privacy):
Now, I'm not saying this is a rootkit-level sort of security threat, but my feeling has always been that Dropwizard should be skewing toward a "default secure" mindset. And of course a properly configured loadbalancer will prevent this access from occurring, but not everyone is perfect all of the time.
I'm all for exposing this detailed information on the admin port, and for exposing a very limited, zero-details healthcheck service on the public port. But it really seems like a security failure to make those details available, in the default configuration, on the public port.
The text was updated successfully, but these errors were encountered: