Feature request - cmdline flag to disable/change url for debug pprof endpoints

Question

Feature request - cmdline flag to disable/change url for debug pprof endpoints

123456890987654321 opened this issue 7 months ago · 3 comments

123456890987654321 commented 7 months ago

/debug/pprof endpoints are exposed by default automatically by net/http/pprof import, which is reported as High security vulnerability by several different vulnerability scanners.

Although we do understand the importance of having pprof endpoints available for debugging/tuning of the exporter, it would be nice to have ability of turning it off completely in production environments (or opt-in to enable it just for debugging).

Example PR (with /debug/pprof enabled for backward compatibility) #1162

Answer 1 · 2023-11-28T15:24:33.000Z

Security scanners often produce false positives. I have not seen any evidence that pprof constitutes an actual vulnerability any more than /metrics.

Answer 2 · 2023-12-06T11:34:56.000Z

There is no doubt that security scanners report strange things without evidence, but there is certainly one common requirement - at least production environments should not expose extra stuff that is not strictly necessary for operations, so the ability to disable it on demand is always welcome (otherwise users are simply forced into security by obscurity).

Answer 3 · 2023-12-06T16:55:36.000Z

This is not something we plan to implement here.