In the sample for ASP.NET Health Checks UI, only the UI requires authorization, but not the endpoint. Is that by intention? Why protect the UI if the endpoint is unprotected? Isn't all information available anonymously from the endpoint then? What am I missing?
Requiring authorization for both the endpoint and for the UI will crash the UI:
app.MapHealthChecks("/health", new HealthCheckOptions
{
Predicate = _ => true,
ResponseWriter = UIResponseWriter.WriteHealthCheckUIResponse,
}).RequireAuthorization(Policies.HealthChecksUiPolicy);
app.MapHealthChecksUI()
.RequireAuthorization(Policies.HealthChecksUiPolicy);
gives:
Unexpected character encountered while parsing value: <. Path '', line 0, position 0.
This seems to have been reported in https://github.com/Xabaril/AspNetCore.Diagnostics.HealthChecks/issues/327 but that issue was closed.
