You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/http/http-metrics.md
+18
Original file line number
Diff line number
Diff line change
@@ -135,13 +135,19 @@ SHOULD include the [application root](/docs/http/http-spans.md#http-server-defin
135
135
136
136
SHOULD NOT be set if only IP address is available and capturing name would require a reverse DNS lookup.
137
137
138
+
Warning: since this attribute may be based on the `Host` header, opting in to it may allow an attacker
139
+
to trigger cardinality limits, degrading the usefulness of the metric.
140
+
138
141
**[7]:** Determined by using the first of the following that applies
139
142
140
143
- Port identifier of the [primary server host](/docs/http/http-spans.md#http-server-definitions) of the matched virtual host.
141
144
- Port identifier of the [request target](https://www.rfc-editor.org/rfc/rfc9110.html#target.resource)
142
145
if it's sent in absolute-form.
143
146
- Port identifier of the `Host` header
144
147
148
+
Warning: since this attribute may be based on the `Host` header, opting in to it may allow an attacker
149
+
to trigger cardinality limits, degrading the usefulness of the metric.
150
+
145
151
**[8]:** The scheme of the original client request, if known (e.g. from [Forwarded](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded), [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto), or a similar header). Otherwise, the scheme of the immediate peer request.
146
152
147
153
`error.type` has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
@@ -316,13 +322,19 @@ SHOULD include the [application root](/docs/http/http-spans.md#http-server-defin
316
322
317
323
SHOULD NOT be set if only IP address is available and capturing name would require a reverse DNS lookup.
318
324
325
+
Warning: since this attribute may be based on the `Host` header, opting in to it may allow an attacker
326
+
to trigger cardinality limits, degrading the usefulness of the metric.
327
+
319
328
**[7]:** Determined by using the first of the following that applies
320
329
321
330
- Port identifier of the [primary server host](/docs/http/http-spans.md#http-server-definitions) of the matched virtual host.
322
331
- Port identifier of the [request target](https://www.rfc-editor.org/rfc/rfc9110.html#target.resource)
323
332
if it's sent in absolute-form.
324
333
- Port identifier of the `Host` header
325
334
335
+
Warning: since this attribute may be based on the `Host` header, opting in to it may allow an attacker
336
+
to trigger cardinality limits, degrading the usefulness of the metric.
337
+
326
338
**[8]:** The scheme of the original client request, if known (e.g. from [Forwarded](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded), [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto), or a similar header). Otherwise, the scheme of the immediate peer request.
327
339
328
340
`error.type` has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
@@ -423,13 +435,19 @@ SHOULD include the [application root](/docs/http/http-spans.md#http-server-defin
423
435
424
436
SHOULD NOT be set if only IP address is available and capturing name would require a reverse DNS lookup.
425
437
438
+
Warning: since this attribute may be based on the `Host` header, opting in to it may allow an attacker
439
+
to trigger cardinality limits, degrading the usefulness of the metric.
440
+
426
441
**[7]:** Determined by using the first of the following that applies
427
442
428
443
- Port identifier of the [primary server host](/docs/http/http-spans.md#http-server-definitions) of the matched virtual host.
429
444
- Port identifier of the [request target](https://www.rfc-editor.org/rfc/rfc9110.html#target.resource)
430
445
if it's sent in absolute-form.
431
446
- Port identifier of the `Host` header
432
447
448
+
Warning: since this attribute may be based on the `Host` header, opting in to it may allow an attacker
449
+
to trigger cardinality limits, degrading the usefulness of the metric.
450
+
433
451
**[8]:** The scheme of the original client request, if known (e.g. from [Forwarded](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded), [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto), or a similar header). Otherwise, the scheme of the immediate peer request.
434
452
435
453
`error.type` has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
0 commit comments