/status, /metrics is public
As a heads up, in HedgeDoc, the /status and /metrics route are public in https://github.com/hedgedoc/hedgedoc/pull/1857 . Just wondering if people here consider it "private" ? I can fix the package accordingly.
@girish please change it so that it is private. If it is possible (maybe sometime in the future, I am interested in the Prometheus endpoint), implement it as a "switch" in the .env file.
A little context: this kind of information is public at the status endpoint (https://demo.hedgedoc.org/status)
For a demo instance, that might be fine. But as an administrator of a self-hosted Hedgedoc, I want to decide what kind of transparency I want to share with the world.
I am both ways here, as mentioned in the upstream issue, we can filter out those urls, if we would use an additional reverse proxy specifically for the app. However this adds another nginx instance and since it is not maintained upstream, we might miss future routes which also need protection the same way.
Ideally I still think this is really part of the upstream project to maybe even have settings for that.