---
title: Endpoint handles both authenticated and unauthenticated traffic
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Endpoint handles both authenticated and
  unauthenticated traffic
---

# Endpoint handles both authenticated and unauthenticated traffic
 
## Description{% #description %}

This endpoint has been observed handling both authenticated and unauthenticated traffic. This may indicate an intentional dual-access design, a recent endpoint tagging or instrumentation change, or inconsistent authentication enforcement. If the endpoint is expected to always require authentication, treat this as a potential authentication bypass or misconfiguration.

## Rationale{% #rationale %}

This finding is triggered when Datadog observes requests to the same endpoint:

- with evidence of an [authentication mechanism](https://docs.datadoghq.com/security/application_security/api-inventory.md#endpoint-authentication).
- that do not match the endpoint-tagging rules configured for the service, or that can be queried without authentication during an endpoint scan.

This is a mixed-signal finding. It indicates that Datadog observed both authenticated and unauthenticated access to the endpoint, but it does not, by itself, prove an authentication bypass.

## Remediation{% #remediation %}

First, confirm the intended authentication policy for this endpoint to determine which scenario applies.

### The endpoint is designed for both authenticated and unauthenticated access{% #the-endpoint-is-designed-for-both-authenticated-and-unauthenticated-access %}

If mixed access is expected by design, this finding is informational. You can mute it for this endpoint.

### A recent tagging or instrumentation change caused the conflicting signal{% #a-recent-tagging-or-instrumentation-change-caused-the-conflicting-signal %}

If a recent and expected change to endpoint-tagging rules, authentication middleware, or instrumentation explains the finding, you can mute it temporarily for 7 days while the previous data expires.

### The endpoint should always require authentication{% #the-endpoint-should-always-require-authentication %}

If this endpoint should not allow unauthenticated access:

1. Verify that authentication is enforced consistently in your application code, API gateway, reverse proxy, and service configuration.
1. Review recent changes to endpoint-tagging rules or authentication middleware that could explain the conflicting signal.
1. Investigate how [authentication is detected](https://docs.datadoghq.com/security/application_security/api-inventory.md#endpoint-authentication) for this endpoint and verify that requests are being tagged consistently.