starred/healthchecks
1
0
Fork 0
mirror of https://github.com/healthchecks/healthchecks.git synced 2026-04-26 07:25:51 +03:00
Code Issues 56 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #877] Redact Ping URL for read-only users #618

New issue
Closed
opened 2026-02-25 23:43:04 +03:00 by kerem · 1 comment
kerem commented 2026-02-25 23:43:04 +03:00
Owner
Copy link

Originally created by @anymuster2 on GitHub (Aug 10, 2023).
Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/877

Hi,

Currently there exists a 'read-only' user role - implying the user can access but not modify the page, but the ping URLs are exposed to the user. This creates the scenario where a user could configure a cron job to trigger a ping URL, resulting in falsified data. I also assume but have not checked that the read-only APIs are similar (e.g., they also expose the ping URL).

Take the following scenario: A service with a healthcheck relies on transport infrastructure, the user is not responsible for the service but is responsible for any outages caused by transport infrastructure - the user should not have knowledge of the URL, but needs to know if the relevant service is offline.

I'd propose that exposure of token URLs is configurable to be redacted either based on user role, flag on the invite, or environment var. In some comparable scenarios (API token generation) on unrelated services, the secret is exposed to the creator only once - e.g., the UI will never reflect the secret again.

Originally created by @anymuster2 on GitHub (Aug 10, 2023). Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/877 Hi, Currently there exists a 'read-only' user role - implying the user can access but not modify the page, but the ping URLs are exposed to the user. This creates the scenario where a user could configure a cron job to trigger a ping URL, resulting in falsified data. I also assume but have not checked that the read-only APIs are similar (e.g., they also expose the ping URL). Take the following scenario: A service with a healthcheck relies on transport infrastructure, the user is not responsible for the service but is responsible for any outages caused by transport infrastructure - the user should not have knowledge of the URL, but needs to know if the relevant service is offline. I'd propose that exposure of token URLs is configurable to be redacted either based on user role, flag on the invite, or environment var. In some comparable scenarios (API token generation) on unrelated services, the secret is exposed to the creator only once - e.g., the UI will never reflect the secret again.
kerem closed this issue 2026-02-25 23:43:04 +03:00
kerem commented 2026-02-25 23:43:04 +03:00
Author
Owner
Copy link

@cuu508 commented on GitHub (Aug 10, 2023):

I also assume but have not checked that the read-only APIs are similar (e.g., they also expose the ping URL).

The API calls do not expose ping URL when using the read-only API key. For example, see the example API responses for the "List Existing Checks" API call: https://healthchecks.io/docs/api/#list-checks

When using the regular API key, responses contain a ping_url field. When using the read-only key, responses instead contain a unique_key field. The unique key is derived from the check's UUID using one-way function.

You can build a public dashboard that shows check statuses but gives no access to ping URLs using the read-only API keys. Pointers:

You can also use status badges, they also do not disclose ping URLs.

<!-- gh-comment-id:1672679481 --> @cuu508 commented on GitHub (Aug 10, 2023): > I also assume but have not checked that the read-only APIs are similar (e.g., they also expose the ping URL). The API calls do not expose ping URL when using the read-only API key. For example, see the example API responses for the "List Existing Checks" API call: https://healthchecks.io/docs/api/#list-checks When using the regular API key, responses contain a `ping_url` field. When using the read-only key, responses instead contain a `unique_key` field. The unique key is derived from the check's UUID using one-way function. You can build a public dashboard that shows check statuses but gives no access to ping URLs using the read-only API keys. Pointers: * https://github.com/healthchecks/dashboard * https://github.com/nicoandrade/healthchecks-front You can also use [status badges](https://healthchecks.io/docs/badges/), they also do not disclose ping URLs.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
py2
v4.1.1
v4.1
v4.0
v3.13
v3.12
v3.11.2
v3.11.1
v3.11
v3.10
v3.9
v3.8.2
v3.8.1
v3.8
v3.7
v3.6
v3.5.2
v3.5.1
v3.5
v3.4
v3.3
v3.2
v3.1
v3.0.1
v3.0
v2.10
v2.9.2
v2.9.1
v2.9
v2.8.1
v2.8
v2.7
v2.6.1
v2.6
v2.5
v2.4.1
v2.4
v2.3
v2.2.1
v2.2
v2.1
v2.0.1
v2.0
v1.25.0
v1.24.1
v1.24.0
v1.23.1
v1.23.0
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.0
v1.17.0
v1.16.0
v1.15.0
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.4
v1.0.3
v1.0.2
1.0.2
v1.0.1
v1.0
Labels
Clear labels   
bug

   
bug

   
bug

   
feature

   
good-first-issue

   
new integration

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
bug
bug
feature
good-first-issue
new integration
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/healthchecks#618
No description provided.