From 6ecb909bfda4db4ddff23d17e4dc7e199700cd7d Mon Sep 17 00:00:00 2001
From: Xe Iaso <me@xeiaso.net>
Date: Wed, 22 Apr 2026 23:24:23 -0400
Subject: [PATCH] doc: document HTTP basic auth for metrics server

Signed-off-by: Xe Iaso <me@xeiaso.net>
---
 data/botPolicies.yaml        |  7 +++++++
 docs/docs/CHANGELOG.md       |  1 +
 docs/docs/admin/policies.mdx | 16 ++++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/data/botPolicies.yaml b/data/botPolicies.yaml
index fd1d1a34..d6d3671e 100644
--- a/data/botPolicies.yaml
+++ b/data/botPolicies.yaml
@@ -175,6 +175,13 @@ status_codes:
 #   bind: ":9090"
 #   network: "tcp"
 #
+# # To protect your metrics server with basic auth, set credentials below:
+# #
+# # https://anubis.techaro.lol/docs/admin/policies#http-basic-authentication
+#   basicAuth:
+#     username: ""
+#     password: ""
+#
 # # To serve metrics over TLS, set the path to the right TLS certificate and key
 # # here. When the files change on disk, they will automatically be reloaded.
 # #
diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index d1bd4935..f4826178 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add Bulgarian locale ([#1394](https://github.com/TecharoHQ/anubis/pull/1394))
 - Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465)).
 - Enable [metrics serving via TLS](./admin/policies.mdx#tls), including [mutual TLS (mTLS)](./admin/policies.mdx#mtls).
+- Enable [HTTP basic auth](./admin/policies.mdx#http-basic-authentication) for the metrics server.
 
 ## v1.25.0: Necron
 
diff --git a/docs/docs/admin/policies.mdx b/docs/docs/admin/policies.mdx
index 06de8dd8..aefb1845 100644
--- a/docs/docs/admin/policies.mdx
+++ b/docs/docs/admin/policies.mdx
@@ -171,6 +171,22 @@ metrics:
 
 As it is not expected for certificate authority certificates to change often, the CA certificate will NOT be automatically reloaded when the respective file changes.
 
+### HTTP basic authentication
+
+Anubis' metrics server also supports setting HTTP basic auth as a lightweight protection against unauthorized users viewing metrics data. As the basic auth credentials are hardcoded in the configuration file, administrators SHOULD use randomly generated credentials, such as type-4 UUIDs or other high entropy strings. These credentials MUST NOT be sensitive or used to protect other high value systems.
+
+Configure it with the `basicAuth` block under `metrics`:
+
+```yaml
+metrics:
+  bind: ":9090"
+  network: "tcp"
+
+  basicAuth:
+    username: azurediamond
+    password: hunter2
+```
+
 ## Imprint / Impressum support
 
 Anubis has support for showing imprint / impressum information. This is defined in the `impressum` block of your configuration. See [Imprint / Impressum configuration](./configuration/impressum.mdx) for more information.