- Bind to internal interfaces or localhost.
- Restrict port
9090/tcp to trusted admin networks.
- Use a reverse proxy with TLS and authentication.
¶ Authentication and Access
- Prometheus has no built-in auth; enforce auth at the proxy.
- Restrict access to the
/api and /config endpoints via proxy rules.
¶ Data and Retention
- Use short retention for high-cardinality metrics.
- Limit scrape targets and labels to reduce exposure.
- Run as a dedicated system user.
- Restrict filesystem permissions on
/etc/prometheus and data dir.
- Keep Prometheus and exporters updated.
Do you need help or support? Feel free to contact us!