config: Add a flag to control the /metrics and /status endpoints

It can be a security concern in some environments to expose system capabilities even though they don't expose any PII. Add some flags (defaulted `true` to maintain existing behaviour) to control whether the /metrics and /status (and anything in the StatusRouter) are exposed. Signed-off-by: Stéphane Maniaci <stephane.maniaci@beta.gouv.fr>
2023-01-23 15:23:20 +01:00
parent e5a8a3b041
commit d10ead4c6c
5 changed files with 48 additions and 21 deletions
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -29,6 +29,10 @@ module.exports = {
    allowFraming: true,
    allowPDFEmbed: true
  },
+  observability: {
+    exposeMetrics: true,
+    exposeStatus: true
+  },
  cookiePolicy: 'lax',
  protocolUseSSL: false,
  allowAnonymous: true,