Uptime Monitoring

X-Forwarded-User (proxy-level auth)

Zero-Day Shield

SSO + Zero-Day Protection for Uptime Kuma

by Uptime Kuma Community

Add SAML/OIDC SSO to Uptime Kuma — Protect Status Pages and Monitoring from Unauthorized Access

Overview

Why Uptime Kuma Needs an Authenticated Proxy

Uptime Kuma is a popular self-hosted uptime monitoring tool that tracks the availability of websites, APIs, databases, and services. It provides real-time status pages, alert notifications, and historical uptime data. While simple and effective, Uptime Kuma's monitoring configuration reveals which services you operate, their URLs, health check endpoints, and notification channels. This information helps attackers identify targets, understand your infrastructure dependencies, and plan attacks against monitored services. OnePAM adds enterprise SSO to Uptime Kuma by placing an authenticated proxy in front of it. Only verified users can access monitoring configuration, status data, and alert settings.

HTTP Header Authentication

X-Forwarded-User (proxy-level auth)

Uptime Kuma has basic built-in authentication. OnePAM provides enterprise SSO as a reverse proxy, authenticating users via SAML/OIDC before any request reaches Uptime Kuma's login page.

Zero-Day Risk Profile

Uptime Kuma Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Uptime Kuma runs on Node.js with potential for injection and prototype pollution attacks

Monitor configurations reveal all your services, URLs, and health check endpoints

Notification settings expose Slack webhooks, email configs, and PagerDuty keys

Status pages can leak service availability information to unauthorized viewers

The Challenge

Security Challenges with Uptime Kuma

These are the risks organizations face when Uptime Kuma is not behind an authenticated proxy.

Service Discovery Exposure

Monitor configurations list every service URL, API endpoint, and health check path you operate. This is a recon goldmine.

Notification Channel Secrets

Slack webhooks, PagerDuty API keys, SMTP credentials, and Telegram tokens are stored in notification settings.

Single-User Auth

Uptime Kuma supports only a single admin account by default. There's no multi-user RBAC or SSO support.

Status Page Leakage

Public status pages may reveal more about your infrastructure than intended. Private dashboards need authentication.

Node.js Attack Surface

As a Node.js application, Uptime Kuma inherits JavaScript ecosystem vulnerabilities.

No Enterprise Auth

Uptime Kuma has no SAML, OIDC, or LDAP support. It relies on a single username/password.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Uptime Kuma

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Uptime Kuma.

Deploy OnePAM in Front of Uptime Kuma

Place OnePAM as the reverse proxy for Uptime Kuma's web interface.

Uptime Kuma is configured to listen on localhost only. OnePAM becomes the sole entry point.

Configure Your IdP

Connect OnePAM to your SAML 2.0 or OIDC identity provider.

OnePAM handles authentication, MFA enforcement, and session management.

SSO Replaces Single Password

OnePAM provides multi-user SSO, replacing Uptime Kuma's single admin password.

Multiple team members can access monitoring with their corporate credentials. Each user is individually identified and audited.

Define Monitoring Access Policies

Control who can access monitoring configuration, status data, and notification settings.

SREs get full access, managers see status dashboards, and on-call engineers manage alert settings — from your IdP.

Audit Monitoring Access

Every monitoring access is logged with corporate identity context.

Know who modified monitors, changed notification settings, or viewed service status.

Business Impact

Benefits of Securing Uptime Kuma with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Uptime Kuma.

Multi-User SSO for Uptime Kuma

Replace Uptime Kuma's single admin password with enterprise SSO for your entire team.

From 1 password to full SSO

Protect Service Intelligence

Monitor configurations and service URLs are only accessible to authenticated users.

Zero unauthorized service recon

Shield Notification Secrets

Slack webhooks, PagerDuty keys, and SMTP credentials are protected behind SSO.

Notification creds protected

MFA for Monitoring

Require MFA before accessing or modifying monitoring configuration.

MFA-gated monitoring

Shield from Exploits

Web application vulnerabilities are blocked for unauthenticated users.

Exploits blocked at proxy

Individual Accountability

Every monitoring change is tied to a corporate identity instead of a shared admin account.

Individual accountability

SSO Features

Uptime Kuma SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Uptime Kuma.

SAML 2.0 & OIDC SSO for Uptime Kuma (multi-user upgrade)

Monitor configuration access controls

Notification channel credential protection

Status page access policies

Session recording for monitoring changes

IP and geo-restriction for monitoring access

Device trust verification

Individual user identification and auditing

Concurrent session controls

Multiple monitoring instance SSO support

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Uptime Kuma from exploitation.

Uptime Kuma isolated from direct network access

End-to-end TLS encryption

Request-level identity verification

Protection against Node.js application vulnerabilities

Notification credential isolation

Automatic session termination on IdP sign-out

Real-World Scenarios

Uptime Kuma SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Uptime Kuma.

SRE teams managing uptime monitoring via corporate SSO with individual accounts

Managers viewing service status dashboards with read-only access

On-call engineers managing alert notifications with MFA enforcement

Replacing shared admin passwords with individual identity-based access

Protecting monitoring configuration from unauthorized modification

Compliance-driven monitoring access auditing with individual accountability

Frequently Asked Questions

Uptime Kuma SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Uptime Kuma.

Uptime Kuma only has one admin account. How does OnePAM help?

OnePAM adds multi-user SSO in front of Uptime Kuma. Multiple team members authenticate with their corporate credentials, and OnePAM identifies each user individually. This replaces the shared single-password model with enterprise identity management.

Can we still have public status pages?

Yes. OnePAM supports path-based policies. Public status pages can be accessible without authentication while the admin dashboard requires SSO.

Does OnePAM affect Uptime Kuma's monitoring checks?

No. Uptime Kuma performs monitoring checks (HTTP pings, TCP checks, etc.) from the server side. OnePAM only protects the user-facing web interface.

Can we restrict who can modify monitors vs. view status?

Yes. With OnePAM's user identification, you can implement read-only and admin access patterns based on IdP group membership.

Does OnePAM work with Uptime Kuma's WebSocket interface?

Yes. OnePAM authenticates the initial connection and maintains authentication context for the WebSocket upgrade that Uptime Kuma uses for real-time updates.

Ready to Secure Uptime Kuma with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Uptime Kuma code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps