Option to disable remote config loading

[taliaferro]

I'd like to be able to disable the "Load configuration file from URL" feature.

In a high-security environment, operators might not want users to be able to load their own config files to send whatever HTTP requests they want from Monitoror. This is especially true since a status monitor might sit in a position where it has visibility into lots of different parts of the network.

One potential workaround would be to put Monitoror behind a proxy which denies any requests containing ?config=http, but that's not an ideal solution. The feature has pretty big security implications, and people deploying Monitoror in secure environments ought to have the option to turn it off outright.

I would like to request a feature--a new toggle in the Core config. If I set an environment variable like MO_REMOTE_CONFIG=false, that feature should be disabled.

[Alex-D]

Thank you for your feedback. We already have thought about something like that, but it's not that simple.
Since all calls can be done from the client UI, through the Core, if the Core has access to something, any client UI can access it.

So, the only solution is to build an allow-list of URLs from the config file set in Core env MO_CONFIG and MO_CONFIG_*