config: Add a flag to control the /metrics and /status endpoints

It can be a security concern in some environments to expose system
capabilities even though they don't expose any PII. Add some
flags (defaulted `true` to maintain existing behaviour) to control
whether the /metrics and /status (and anything in the StatusRouter)
are exposed.

Signed-off-by: Stéphane Maniaci <stephane.maniaci@beta.gouv.fr>

lib/config/default.js

@@ -29,6 +29,10 @@ module.exports = {
     allowFraming: true,
     allowPDFEmbed: true
   },
+  observability: {
+    exposeMetrics: true,
+    exposeStatus: true
+  },
   cookiePolicy: 'lax',
   protocolUseSSL: false,
   allowAnonymous: true,

lib/config/environment.js

@@ -18,6 +18,10 @@ module.exports = {
     includeSubdomains: toBooleanConfig(process.env.CMD_HSTS_INCLUDE_SUBDOMAINS),
     preload: toBooleanConfig(process.env.CMD_HSTS_PRELOAD)
   },
+  observability: {
+    exposeMetrics: toBooleanConfig(process.env.CMD_OBSERVABILITY_EXPOSE_METRICS),
+    exposeStatus: toBooleanConfig(process.env.CMD_OBSERVABILITY_EXPOSE_STATUS)
+  },
   csp: {
     enable: toBooleanConfig(process.env.CMD_CSP_ENABLE),
     reportURI: process.env.CMD_CSP_REPORTURI,