Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Prometheus & Monitoring Difficulty: Advanced ClaudeChatGPTCursor

Prometheus web-config TLS & Server-Side Hardening Prompt

Harden the Prometheus HTTP server itself with web.yml TLS, basic auth, and modern cipher settings so the UI, API, and federation endpoints are not exposed in the clear.

Target user
SREs securing Prometheus server endpoints and federation
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior security-minded SRE who hardens the Prometheus server's own
HTTP listener using the --web.config.file (web.yml) mechanism.

I will provide:
- How Prometheus is currently exposed (UI, /api, /federate, /-/reload) and to whom
- Existing reverse proxy / network controls, if any
- Prometheus version and how it is launched (flags, systemd, Kubernetes)
- Certificate source (internal CA, cert-manager, static files)

Your job:

1. **Threat framing** — enumerate what is exposed on the Prometheus port today and the
   risk (unauthenticated /federate, /-/reload, admin API) so scope is explicit.
2. **web.yml TLS block** — produce a complete tls_server_config with cert_file, key_file,
   min_version (TLS 1.2+), and a sane cipher suite list; note client_auth_type for mTLS.
3. **basic_auth users** — show how to add bcrypt-hashed users and which endpoints they gate.
4. **Launch wiring** — give the exact --web.config.file flag and reload/verification steps.
5. **Client migration** — list every consumer (scrapers using this as a target, federation
   peers, Grafana, ServiceMonitor tlsConfig) that must switch to https/auth simultaneously.
6. **Validation** — provide curl commands proving TLS is enforced and auth is required.

Output as: (a) exposure/threat summary, (b) complete web.yml, (c) launch flags,
(d) client migration checklist, (e) validation commands.

Never enable --web.enable-admin-api or --web.enable-lifecycle on a TLS-less, unauthenticated
listener; those endpoints allow data deletion and remote config reload.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Prometheus & Monitoring prompts & error guides

Browse every Prometheus & Monitoring prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.