Mentions légales du service

Skip to content

REST server is leaking monitoring data

It's really cool that you started using Spring Boot Actuator to monitor your data (it wasn't the case a couple of days ago!), but as you don't use Spring Security, this means the monitoring endpoints are available to the outside world.

In your configuration file https://gitlab.inria.fr/stopcovid19/robert-server/-/blob/develop/robert-server-ws-rest/src/main/resources/application.properties#L42 we see that by default you expose the "health" and "metrics" endpoints. The first one isn't probably very dangerous, but I wouldn't expose the second one, you can have lots of things being exposed through it.

You should either add Spring Security, or block this endpoint (just block "/actuator/*") on your gateway/reverse proxy. Or do both, just in case :-)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information