Root path publicly accessible

[frodoagu]

Hi team 👋

We've noticed that when deploying Policy Bot, the root endpoint (/) is publicly accessible and returns an HTML page with a some information that we don't want to expose.

While the root path currently does not expose sensitive data, this may:

• Reveal implementation details about the CI/CD pipeline to external parties (e.g., the use of Policy Bot).
• Provide an unauthenticated endpoint that could be expanded in future versions, increasing risk.
• Contradict best practices around minimizing exposed surface area in production systems.

Suggested improvement:

• Require authentication for the root path
• Provide a configuration flag to disable or restrict public access to the / endpoint.

Let me know if you'd be open to a PR or if there are existing workarounds. Thanks for the great tool!

— Fede

[asvoboda]

I don't think its a concern to have the root page public and accessible. It describes what policy-bot is, how to use it, and links some documents to users. Its pretty simple https://github.com/palantir/policy-bot/blob/6f885d4534d1e003242f9765e0e6c85a30462548/server/templates/index.html.tmpl

If you want to create a pull request to make it optional, that seems fine.

[frodoagu]

@asvoboda I just submitted a PR! thanks!