The alert-api FastAPI service is exposed to the internet via /alerts/api/, and all authentication is handled in-app against Grafana credentials with no rate limiting or lockout. An attacker can brute-force passwords or hammer auth endpoints.
Mitigations:
- Add per-IP rate limiting to /alerts/api/* endpoints. This can be achieved in Caddy (recommended) or via FastAPI middleware.
- Consider restricting /alerts/api/ public binding unless truly needed—prefer a VPN for remote access.
Action Items:
- Implement reasonable per-IP rate limits for alert-api endpoints.
- Update documentation to clarify why direct public exposure is risky.
The alert-api FastAPI service is exposed to the internet via /alerts/api/, and all authentication is handled in-app against Grafana credentials with no rate limiting or lockout. An attacker can brute-force passwords or hammer auth endpoints.
Mitigations:
Action Items: