From 6043155666ef77ec28badeb4a9d4792f0fca7cbc Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Fri, 15 May 2020 20:27:28 +0200 Subject: [PATCH] Add note about browsers Signed-off-by: Julien Pivotto --- content/docs/operating/security.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/docs/operating/security.md b/content/docs/operating/security.md index 7768ad575..611be0de3 100644 --- a/content/docs/operating/security.md +++ b/content/docs/operating/security.md @@ -185,11 +185,15 @@ so do not limit a user's ability to run arbitrary queries in proxy mode. ## Secrets -Non-secret information or fields may be available via the HTTP API and/or logs. +Non-secret information or fields may be available via the HTTP API, browser +local storage, and/or logs. In Prometheus, metadata retrieved from service discovery is not considered secret. Throughout the Prometheus system, metrics are not considered secret. +Forms in the web interfaces are not considered secrets. That includes free-text +fields, like the silences in Alertmanager. + Fields containing secrets in configuration files (marked explicitly as such in the documentation) will not be exposed in logs or via the HTTP API. Secrets should not be placed in other configuration fields, as it is common for