Store two URLs on monitor (one public, one internal) #2937

New issue

Closed

opened 2026-02-28 03:12:11 -05:00 by deekerman · 2 comments

deekerman commented 2026-02-28 03:12:11 -05:00

Owner

Copy link

Originally created by @sevmonster on GitHub (Dec 19, 2023).

⚠️ Please verify that this feature request has NOT been suggested before.

• I checked and didn't find similar feature request

🏷️ Feature Request Type

UI Feature, Other

🔖 Feature description

On HTTP, push, and any other monitor with a URL field—or on monitors that have previously had a URL field set and have had their type changed, so that the url field is set in the database—that URL (which may be internal) is used in a number of places, including status pages, Discord alerts, and as the action for Ntfy notifications.

In the case of status pages, you can elect to show or hide the URL. But for notifications and Discord, you cannot hide the URL; it will always be shown to the end user. There may be other places this can happen other than what I have listed.

The problem is that unless you protect your notification/integration endpoints so that only authorized users may utilize them, this can expose internal-only URLs to external users. And I imagine it would be common to use special URLs for Uptime Kuma, that bypass WAFs, authentication, or otherwise, so that they do not get in the way of monitoring the service.

If there is not a proxy sitting in front of the URL given to Uptime Kuma that can protect against external users accessing it, and if there is no network firewall that blocks sources other than Uptime Kuma and the frontend web proxy, then anyone could grab these URLs and access the underlying service, potentially without the usual protections for the public URL.

✔️ Solution

Add a public-facing URL field in addition to the existing internal URL field. This field could also point to documentation for monitors that don't have a web interface. In all cases where the internal URL field is used, the public one is shown instead. Database migrations for this change could copy over the internal URL to a new public URL column for forward-compatibility.

❓ Alternatives

Always make sure any URLs you put into Uptime Kuma are protected by a reverse proxy with basic auth/bearer tokens enabled.

📝 Additional Context

I am not sure how this is separate to #3991. It seems to me that we are talking about the same things, just in different ways.

#1793 is also relevant: It shows that a lot of potentially sensitive information is leaked out of Uptime Kuma, to anyone that is given access to notifications or potentially the status pages. This makes it difficult to use/recommend Uptime Kuma for public-facing service.

Originally created by @sevmonster on GitHub (Dec 19, 2023). ### ⚠️ Please verify that this feature request has NOT been suggested before. - [X] I checked and didn't find similar feature request ### 🏷️ Feature Request Type UI Feature, Other ### 🔖 Feature description On HTTP, push, and any other monitor with a URL field—or on monitors that have previously had a URL field set and have had their type changed, so that the `url` field is set in the database—that URL (which may be internal) is used in a number of places, including status pages, Discord alerts, and as the `action` for Ntfy notifications. In the case of status pages, you can elect to show or hide the URL. But for notifications and Discord, you cannot hide the URL; it will always be shown to the end user. There may be other places this can happen other than what I have listed. The problem is that unless you protect your notification/integration endpoints so that only authorized users may utilize them, this can expose internal-only URLs to external users. And I imagine it would be common to use special URLs for Uptime Kuma, that bypass WAFs, authentication, or otherwise, so that they do not get in the way of monitoring the service. If there is not a proxy sitting in front of the URL given to Uptime Kuma that can protect against external users accessing it, and if there is no network firewall that blocks sources other than Uptime Kuma and the frontend web proxy, then anyone could grab these URLs and access the underlying service, potentially without the usual protections for the public URL. ### ✔️ Solution Add a public-facing URL field in addition to the existing internal URL field. This field could also point to documentation for monitors that don't have a web interface. In all cases where the internal URL field is used, the public one is shown instead. Database migrations for this change could copy over the internal URL to a new public URL column for forward-compatibility. ### ❓ Alternatives Always make sure any URLs you put into Uptime Kuma are protected by a reverse proxy with basic auth/bearer tokens enabled. ### 📝 Additional Context I am not sure how this is separate to #3991. It seems to me that we are talking about the same things, just in different ways. #1793 is also relevant: It shows that a lot of potentially sensitive information is leaked out of Uptime Kuma, to anyone that is given access to notifications or potentially the status pages. This makes it difficult to use/recommend Uptime Kuma for public-facing service.

deekerman 2026-02-28 03:12:11 -05:00

• closed this issue
• added the
  feature-request
  A:status-page
  labels

deekerman commented 2026-02-28 03:12:16 -05:00

Author

Owner

Copy link

@CommanderStorm commented on GitHub (Dec 19, 2023):

I am not sure how this is separate to https://github.com/louislam/uptime-kuma/issues/3991

Currently the push url is bound to the primary base url of the instance. Said issue asks if it is possible to change this for push monitors.

Related https://github.com/louislam/uptime-kuma/issues/927

Closing as a duplicate of #2507

@CommanderStorm commented on GitHub (Dec 19, 2023): > I am not sure how this is separate to https://github.com/louislam/uptime-kuma/issues/3991 Currently the push url is bound to the primary base url of the instance. Said issue asks if it is possible to change this for push monitors. Related https://github.com/louislam/uptime-kuma/issues/927 Closing as a duplicate of #2507

deekerman commented 2026-02-28 03:12:17 -05:00

Author

Owner

Copy link

@CommanderStorm commented on GitHub (Dec 19, 2023):

This makes it difficult to use/recommend Uptime Kuma for public-facing service.

Here is our contribution guide: https://github.com/louislam/uptime-kuma/blob/master/CONTRIBUTING.md

@CommanderStorm commented on GitHub (Dec 19, 2023): > This makes it difficult to use/recommend Uptime Kuma for public-facing service. Here is our contribution guide: https://github.com/louislam/uptime-kuma/blob/master/CONTRIBUTING.md

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

npm-update

3.0.X

dev-better-auth

copilot/remove-password-complexity-requirements

2.2.X

copilot/sub-pr-6355

1.23.X

api-via-socketio-client

2.1.3

2.1.2

2.1.1

2.1.0

2.1.0-beta.3

2.1.0-beta.2

2.1.0-beta.1

2.1.0-beta.0

2.0.2

2.0.1

1.23.17

2.0.0

2.0.0-beta.4

2.0.0-beta.3

2.0.0-beta.2

2.0.0-beta.2-temp

2.0.0-beta.1

1.23.16

2.0.0-beta.0

1.23.15

1.23.14

1.23.13

1.23.12

1.23.11

1.23.10

1.23.9

1.23.8

1.23.7

1.23.6

1.23.5

1.23.5-beta.0

1.23.4

1.23.3

1.23.2

1.23.1

1.23.0

1.23.0-beta.1

1.23.0-beta.0

1.22.1

1.22.0

1.22.0-beta.0

1.21.3

1.21.2

1.21.2-beta.0

1.21.1

1.21.0

1.21.0-beta.1

1.21.0-beta.0

1.20.2

1.20.1

1.20.0

1.20.0-beta.0

1.19.6

1.19.5

1.19.4

1.19.3

1.19.2

1.19.1

1.19.0

1.19.0-beta.2

1.19.0-beta.1

1.19.0-beta.0

1.18.5

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-beta.0

1.17.1

1.17.0

1.17.0-beta.1

1.17.0-beta.0

1.16.1

1.16.0

1.16.0-beta.0

1.15.1

1.15.0

1.15.0-beta.1

1.14.1

1.15.0-beta.0

1.14.0

1.14.0-beta.2

1.13.2

1.14.0-beta.1

1.14.0-beta.0

1.13.1

1.13.0

1.13.0-beta.2

1.13.0-beta.1

1.13.0-beta.0

1.12.1

1.12.0

1.11.4

1.11.3

1.11.2

1.11.1

1.11.0

1.10.2

1.10.1

1.10.0

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.10

1.0.9

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

Labels

Clear labels   

A:accessibility

  

A:api

  

A:cert-expiry

  

A:core

  

A:dashboard

  

A:deployment

  

A:documentation

  

A:domain expiry

  

A:incidents

  

A:maintenance

  

A:metrics

  

A:monitor

  

A:notifications

  

A:reports

  

A:settings

  

A:status-page

  

A:ui/ux

  

A:user-management

  

Stale

  

ai-slop

  

blocked

  

blocked-upstream

  

bug

  

cannot-reproduce

  

dependencies

  

discussion

  

duplicate

  

feature-request

  

feature-request

  

good first issue

  

hacktoberfest

  

help

  

help wanted

  

house keeping

  

invalid

  

invalid-format

  

invalid-format

  

question

  

releaseblocker 🚨

  

security

  

spam

  

type:enhance-existing

  

type:new

  

wontfix

No labels

A:accessibility

A:api

A:cert-expiry

A:core

A:dashboard

A:deployment

A:documentation

A:domain expiry

A:incidents

A:maintenance

A:metrics

A:monitor

A:notifications

A:reports

A:settings

A:status-page

A:ui/ux

A:user-management

Stale

ai-slop

blocked

blocked-upstream

bug

cannot-reproduce

dependencies

discussion

duplicate

feature-request

feature-request

good first issue

hacktoberfest

help

help wanted

house keeping

invalid

invalid-format

invalid-format

question

releaseblocker 🚨

security

spam

type:enhance-existing

type:new

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/uptime-kuma#2937

No description provided.