Security: Protect /health and /stats on public deployments #40
Description
Problem
- Health and stats endpoints are unauthenticated and may be publicly accessible.
Risk
- Information disclosure (uptime, config flags), potential for probing.
Recommendations
- If publicly exposed, add simple auth/rate limiting or serve behind a protected network path; document guidance.