The net/http/pprof endpoints include stack traces with integer arguments, which can leak sensitive information depending on the settings. We should mention that in the docs.
Comment From: FiloSottile
Maybe we should even hide the variables from the net/http/pprof output, or make them optional.
Comment From: rleungx
Is there any update on this issue?
Comment From: mknyszek
I think we have come to the conclusion that net/http/pprof just provides so many things that might contain sensitive information, that it just shouldn't be exposed on an externally-facing endpoint. #42834 is closely related.
I think in the short term, what we should do, is add a warning to the top of the package documentation to this effect, and also provide an example of how to set up net/http/pprof over something like a Unix domain socket. (Echoing stuff like https://eli.thegreenplace.net/2019/unix-domain-sockets-in-go/.)