prometheus/docs/configuration/https.md

---
title: HTTPS and authentication
sort_rank: 7
---

Prometheus supports basic authentication and TLS.
This is **experimental** and might change in the future.

To specify which web configuration file to load, use the `--web.config.file` flag.

The file is written in [YAML format](https://en.wikipedia.org/wiki/YAML),
defined by the scheme described below.
Brackets indicate that a parameter is optional. For non-list parameters the
value is set to the specified default.

The file is read upon every http request, such as any change in the
configuration and the certificates is picked up immediately.

Generic placeholders are defined as follows:

* `<boolean>`: a boolean that can take the values `true` or `false`
* `<filename>`: a valid path in the current working directory
* `<secret>`: a regular string that is a secret, such as a password
* `<string>`: a regular string

A valid example file can be found [here](/documentation/examples/web-config.yml).

```yaml
tls_server_config:
  # Certificate and key files for server to use to authenticate to client.
  cert_file: <filename>
  key_file: <filename>

  # Server policy for client authentication. Maps to ClientAuth Policies.
  # For more detail on clientAuth options:
  # https://golang.org/pkg/crypto/tls/#ClientAuthType
  #
  # NOTE: If you want to enable client authentication, you need to use
  # RequireAndVerifyClientCert. Other values are insecure.
  [ client_auth_type: <string> | default = "NoClientCert" ]

  # CA certificate for client certificate authentication to the server.
  [ client_ca_file: <filename> ]

  # Verify that the client certificate has a Subject Alternate Name (SAN)
  # which is an exact match to an entry in this list, else terminate the
  # connection. SAN match can be one or multiple of the following: DNS,
  # IP, e-mail, or URI address from https://pkg.go.dev/crypto/x509#Certificate.
  [ client_allowed_sans:
    [ - <string> ] ]

  # Minimum TLS version that is acceptable.
  [ min_version: <string> | default = "TLS12" ]

  # Maximum TLS version that is acceptable.
  [ max_version: <string> | default = "TLS13" ]

  # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
  # Go default cipher suites are used. Available cipher suites are documented
  # in the go documentation:
  # https://golang.org/pkg/crypto/tls/#pkg-constants
  #
  # Note that only the cipher returned by the following function are supported:
  # https://pkg.go.dev/crypto/tls#CipherSuites
  [ cipher_suites:
    [ - <string> ] ]

  # prefer_server_cipher_suites controls whether the server selects the
  # client's most preferred ciphersuite, or the server's most preferred
  # ciphersuite. If true then the server's preference, as expressed in
  # the order of elements in cipher_suites, is used.
  [ prefer_server_cipher_suites: <boolean> | default = true ]

  # Elliptic curves that will be used in an ECDHE handshake, in preference
  # order. Available curves are documented in the go documentation:
  # https://golang.org/pkg/crypto/tls/#CurveID
  [ curve_preferences:
    [ - <string> ] ]

http_server_config:
  # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
  # This can not be changed on the fly.
  [ http2: <boolean> | default = true ]
  # List of headers that can be added to HTTP responses.
  [ headers:
    # Set the Content-Security-Policy header to HTTP responses.
    # Unset if blank.
    [ Content-Security-Policy: <string> ]
    # Set the X-Frame-Options header to HTTP responses.
    # Unset if blank. Accepted values are deny and sameorigin.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
    [ X-Frame-Options: <string> ]
    # Set the X-Content-Type-Options header to HTTP responses.
    # Unset if blank. Accepted value is nosniff.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
    [ X-Content-Type-Options: <string> ]
    # Set the X-XSS-Protection header to all responses.
    # Unset if blank.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
    [ X-XSS-Protection: <string> ]
    # Set the Strict-Transport-Security header to HTTP responses.
    # Unset if blank.
    # Please make sure that you use this with care as this header might force
    # browsers to load Prometheus and the other applications hosted on the same
    # domain and subdomains over HTTPS.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
    [ Strict-Transport-Security: <string> ] ]

# Usernames and hashed passwords that have full access to the web
# server via basic authentication. If empty, no basic authentication is
# required. Passwords are hashed with bcrypt.
basic_auth_users:
  [ <string>: <secret> ... ]
```
Add https and authentication to the navbar Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2021-01-04 08:11:02 +08:00			`---`
			`title: HTTPS and authentication`
			`sort_rank: 7`
			`---`

Add TLS and basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-12-25 19:45:31 +08:00			`Prometheus supports basic authentication and TLS.`
			`This is experimental and might change in the future.`

			To specify which web configuration file to load, use the `--web.config.file` flag.

			`The file is written in [YAML format](https://en.wikipedia.org/wiki/YAML),`
			`defined by the scheme described below.`
			`Brackets indicate that a parameter is optional. For non-list parameters the`
			`value is set to the specified default.`

			`The file is read upon every http request, such as any change in the`
			`configuration and the certificates is picked up immediately.`

			`Generic placeholders are defined as follows:`

			* `<boolean>`: a boolean that can take the values `true` or `false`
			* `<filename>`: a valid path in the current working directory
			* `<secret>`: a regular string that is a secret, such as a password
			* `<string>`: a regular string

https: Add example configuration file Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-12-30 04:14:45 +08:00			`A valid example file can be found [here](/documentation/examples/web-config.yml).`

Clean up codeboxes and headings in docs The new docs site will have syntax highlighting, so this adds language tags to code boxes that are currently missing them. I didn't add `promql` as a language yet since the highlighter doesn't support it yet, plus a lot of the PromQL codeboxes in our docs aren't strictly valid PromQL, they are more like multiple expressions listed in the same code box on multiple lines. So I'm leaving that for sometime later. In the HTTP API page, I moved the curl examples from the JSON codeboxes to their own ones above the JSON output. I considered putting an "Output:" text between the curl + JSON output, but I think the way it currently looks without it is probably fine. I also fixed a number of headings which were at the wrong level relative to their nesting in the document. I also removed `go` as a language from the Go template language examples, because the Go template language isn't Go at all. I also adjusted the indent on one codebox to be more reasonable (2 spaces instead of 8). And then finally, my editor made a bunch of whitespace changes automatically, like removing trailing spaces. Signed-off-by: Julius Volz <julius.volz@gmail.com> Signed-off-by: Julius Volz <julius.volz@gmail.com> 2025-05-13 21:37:57 +08:00			```yaml
Add TLS and basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-12-25 19:45:31 +08:00			`tls_server_config:`
			`# Certificate and key files for server to use to authenticate to client.`
			`cert_file: <filename>`
			`key_file: <filename>`

			`# Server policy for client authentication. Maps to ClientAuth Policies.`
Fix link in documentation Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2021-01-04 08:12:21 +08:00			`# For more detail on clientAuth options:`
			`# https://golang.org/pkg/crypto/tls/#ClientAuthType`
Add note to docs Signed-off-by: Levi Harrison <git@leviharrison.dev> Co-authored-by: Julien Pivotto <roidelapluie@inuits.eu> 2021-07-28 01:43:52 +08:00			`#`
			`# NOTE: If you want to enable client authentication, you need to use`
			`# RequireAndVerifyClientCert. Other values are insecure.`
Add TLS and basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-12-25 19:45:31 +08:00			`[ client_auth_type: <string> \| default = "NoClientCert" ]`

			`# CA certificate for client certificate authentication to the server.`
			`[ client_ca_file: <filename> ]`

Update exporter-toolkit Adds web config option `client_allowed_sans`. This enables Prometheus to limit the Subject Alternate Name (SAN) allowed to connect. Signed-off-by: SuperQ <superq@gmail.com> 2023-05-30 15:08:00 +08:00			`# Verify that the client certificate has a Subject Alternate Name (SAN)`
			`# which is an exact match to an entry in this list, else terminate the`
			`# connection. SAN match can be one or multiple of the following: DNS,`
			`# IP, e-mail, or URI address from https://pkg.go.dev/crypto/x509#Certificate.`
			`[ client_allowed_sans:`
			`[ - <string> ] ]`

Add TLS and basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-12-25 19:45:31 +08:00			`# Minimum TLS version that is acceptable.`
			`[ min_version: <string> \| default = "TLS12" ]`

			`# Maximum TLS version that is acceptable.`
			`[ max_version: <string> \| default = "TLS13" ]`

			`# List of supported cipher suites for TLS versions up to TLS 1.2. If empty,`
			`# Go default cipher suites are used. Available cipher suites are documented`
			`# in the go documentation:`
			`# https://golang.org/pkg/crypto/tls/#pkg-constants`
docs: clarify supported tls cipher suites (#10903) Signed-off-by: Alex Gavin <a_gavin@icloud.com> 2022-06-30 17:34:49 +08:00			`#`
			`# Note that only the cipher returned by the following function are supported:`
			`# https://pkg.go.dev/crypto/tls#CipherSuites`
Add TLS and basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-12-25 19:45:31 +08:00			`[ cipher_suites:`
			`[ - <string> ] ]`

			`# prefer_server_cipher_suites controls whether the server selects the`
			`# client's most preferred ciphersuite, or the server's most preferred`
			`# ciphersuite. If true then the server's preference, as expressed in`
			`# the order of elements in cipher_suites, is used.`
Docs: use boolean instead of bool boolean makes the type consistent and clickable on https://prometheus.io/docs/prometheus/latest/configuration/configuration/ Signed-off-by: Julien Pivotto <roidelapluie@o11y.eu> 2023-03-22 00:27:21 +08:00			`[ prefer_server_cipher_suites: <boolean> \| default = true ]`
Add TLS and basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-12-25 19:45:31 +08:00
			`# Elliptic curves that will be used in an ECDHE handshake, in preference`
			`# order. Available curves are documented in the go documentation:`
			`# https://golang.org/pkg/crypto/tls/#CurveID`
			`[ curve_preferences:`
			`[ - <string> ] ]`

			`http_server_config:`
			`# Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.`
			`# This can not be changed on the fly.`
			`[ http2: <boolean> \| default = true ]`
Add support for security-related HTTP headers (#9546) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2021-10-20 03:26:52 +08:00			`# List of headers that can be added to HTTP responses.`
			`[ headers:`
			`# Set the Content-Security-Policy header to HTTP responses.`
			`# Unset if blank.`
			`[ Content-Security-Policy: <string> ]`
			`# Set the X-Frame-Options header to HTTP responses.`
			`# Unset if blank. Accepted values are deny and sameorigin.`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options`
			`[ X-Frame-Options: <string> ]`
			`# Set the X-Content-Type-Options header to HTTP responses.`
			`# Unset if blank. Accepted value is nosniff.`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options`
			`[ X-Content-Type-Options: <string> ]`
			`# Set the X-XSS-Protection header to all responses.`
docs: correct the accepted value for X-XSS-Protection header (#11015) Signed-off-by: heylongdacoder <heylongdacoder@gmail.com> 2022-07-14 06:50:02 +08:00			`# Unset if blank.`
Add support for security-related HTTP headers (#9546) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2021-10-20 03:26:52 +08:00			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection`
			`[ X-XSS-Protection: <string> ]`
			`# Set the Strict-Transport-Security header to HTTP responses.`
			`# Unset if blank.`
			`# Please make sure that you use this with care as this header might force`
			`# browsers to load Prometheus and the other applications hosted on the same`
			`# domain and subdomains over HTTPS.`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security`
			`[ Strict-Transport-Security: <string> ] ]`
Add TLS and basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-12-25 19:45:31 +08:00
			`# Usernames and hashed passwords that have full access to the web`
			`# server via basic authentication. If empty, no basic authentication is`
			`# required. Passwords are hashed with bcrypt.`
			`basic_auth_users:`
			`[ <string>: <secret> ... ]`
			```