Description

This endpoint has been observed handling both authenticated and unauthenticated traffic. This may indicate an intentional dual-access design, a recent endpoint tagging or instrumentation change, or inconsistent authentication enforcement. If the endpoint is expected to always require authentication, treat this as a potential authentication bypass or misconfiguration.

Rationale

This finding is triggered when Datadog observes requests to the same endpoint:

• with evidence of an authentication mechanism.
• that do not match the endpoint-tagging rules configured for the service, or that can be queried without authentication during an endpoint scan.

This is a mixed-signal finding. It indicates that Datadog observed both authenticated and unauthenticated access to the endpoint, but it does not, by itself, prove an authentication bypass.

Remediation

First, confirm the intended authentication policy for this endpoint to determine which scenario applies.

The endpoint is designed for both authenticated and unauthenticated access

If mixed access is expected by design, this finding is informational. You can mute it for this endpoint.

A recent tagging or instrumentation change caused the conflicting signal

If a recent and expected change to endpoint-tagging rules, authentication middleware, or instrumentation explains the finding, you can mute it temporarily for 7 days while the previous data expires.

The endpoint should always require authentication

If this endpoint should not allow unauthenticated access:

1. Verify that authentication is enforced consistently in your application code, API gateway, reverse proxy, and service configuration.
2. Review recent changes to endpoint-tagging rules or authentication middleware that could explain the conflicting signal.
3. Investigate how authentication is detected for this endpoint and verify that requests are being tagged consistently.