## Security hints

### Protect ini file

The ini file can contain credentials for databases or api secrets if checks must test its acess.

* If possible put them outside webroot or
* protect its access with http, put it into a folder "protected" below webroot and deny the access

Snippet for Apache httpd:

```txt
  <Location "/protected">
    Require all denied
  </Location>
```

### IP restriction

The request to exec the `amcli` (or the generated static json file) should be protected. Maybe your output has no sensitive information but maybe it does on error. The monitoring request is not for the public.

Dynamic requests depending on the kind of checks can run a bit longer and could be misused for DOS attacks.

You can set an ip restriction to the ip address of your appmonitor server instance + localhost.

Snippet for Apache httpd:

```txt
<location "/appmonitor">
    Require ip 192.168.100.10
    Require ip 127.0.0.1
</Location>
```