Prior to Dropwizard 2.1, the healthcheck JSON output (from io.dropwizard.modules:dropwizard-health) was limited to pretty much a boolean output ("healthy" or "unhealthy").

With 2.1, the JSON response (when requested with /health-check?name=all) gives a fine-grained status for each upstream service, and it does so on the public port.

This seems slightly dangerous to me from both a security and privacy perspective. Take for instance a situation like the following, where we are leaking to the public that the service uses a specific database (security), AND that there's likely a major product announcement forthcoming (privacy):

 [
    {"name":"popular-database-with-known-vulnerabilities","healthy":true,"type":"READY","critical":true},
    {"name":"beta-chatgpt-hologram-nft-service","healthy":true,"type":"READY","critical":false}
]

Now, I'm not saying this is a rootkit-level sort of security threat, but my feeling has always been that Dropwizard should be skewing toward a "default secure" mindset. And of course a properly configured loadbalancer will prevent this access from occurring, but not everyone is perfect all of the time.

I'm all for exposing this detailed information on the admin port, and for exposing a very limited, zero-details healthcheck service on the public port. But it really seems like a security failure to make those details available, in the default configuration, on the public port.