I want to share a security concern with you and would like to get your opinion. In my project we have java-based back-end applications which use the http-based health check (see https://docs.cloudfoundry.org/devguide/deploy-apps/healthchecks.html#health_check_uri) . This work s fine and the cf controller can check the health of our apps and act accordingly. Nevertheless we tried to secure this endpoint to not allow attackers to create a dDOS attack on the health endpoint. But the cf controller is sending no certificate or other identity credentials with it's request which allow us to neglect unauthorized access to this http based health endpoint. Do you have any proposal here on how to secure this endpoint and still have it accessible by the cf controller?
I expect that the cf controller sends some identity credentials with it's helath check requests.