/stats appears to be unprotected, no api key required

**Describe the bug**
A clear and concise description of what the bug is.

**To Reproduce**
Steps to reproduce the behavior:
1. start etherpad, regardless in what mode
2. go to 'http://localhost:9001/stats'


**Expected behavior**
/stats should only be available with the given api key, maybe even by default disabled



**Server (please complete the following information):**
 - Etherpad version: 2.0.1-2.2.6, probably also earlier versions affected
 - OS: container
 - Is the server free of plugins: yes


**Additional Context:**
i do believe that exposing /stats while being unauthenticated is a security risk
- either apply the logic with the api key
- or better in my opinion disable the /metrics endpoint by default

i would favor the later because enabling that endpoint is an explicit action, if you do that, you probably don't want to also expose it in your reverse proxy or similar.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

/stats appears to be unprotected, no api key required #6793

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

/stats appears to be unprotected, no api key required #6793

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions