Skip to content
PortsDB

Port reference

Port 9090 (TCP) – Prometheus

Prometheus monitoring server web UI, HTTP API, and query interface; also a generic web-admin port.

tcpRegisteredCommonly attacked

Default state

Open when Prometheus runs. By default it ships with no authentication, so anyone reaching 9090 can query metrics and reach admin endpoints.

Common attacks

  • Unauthenticated access to metrics revealing internal topology
  • SSRF and config abuse via scrape targets and the API
  • Internal recon from labels, targets, and service discovery data
  • Admin API abuse (e.g. snapshot, lifecycle) when enabled

Hardening

  • Never expose 9090 to the internet; bind to localhost or an internal VLAN
  • Put Prometheus behind an authenticating TLS reverse proxy
  • Disable the admin API unless required (--web.enable-admin-api)
  • Restrict scrape configs and validate targets to limit SSRF
  • IP-allowlist access and keep Prometheus patched

nmap snippet

nmap -p9090 --script http-title,http-headers <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 9090?

Port 9090 is the default for the Prometheus monitoring server. It serves the web UI, the HTTP API, and the PromQL query interface used to explore metrics, targets, and alerting rules. The port is also reused by assorted web-admin tools, but Prometheus is by far the most common occupant.

Why it matters for security

Prometheus ships with no built-in authentication. Metrics are a detailed map of your environment — hostnames, service names, versions, and internal targets — so an exposed 9090 hands attackers free internal reconnaissance. Scrape configuration and the API can also be abused to make the server fetch URLs, enabling SSRF against internal services.

How it's attacked

Attackers reach an unauthenticated 9090 and query metrics to enumerate hosts, services, and software versions for targeting. They abuse scrape targets and the API to drive SSRF into the internal network. Where the admin API is enabled, they invoke lifecycle or snapshot endpoints, and labels and service-discovery data fuel further recon.

Hardening checklist

Never expose 9090 to the internet — bind it to localhost or an internal VLAN and place Prometheus behind an authenticating TLS reverse proxy. Disable the admin API unless required (--web.enable-admin-api off), restrict scrape configs and validate targets to limit SSRF, and IP-allowlist access. Keep Prometheus patched. Use the nmap snippet to check exposure on systems you are authorized to test. </content>

Related ports

Port 9100Port 3000Port 8080Port 9093

Frequently asked questions

What is port 9090 used for?
It runs the Prometheus monitoring server's web UI, HTTP API, and PromQL query interface. It is also used by various web-admin tools. Prometheus ships with no built-in authentication by default.
Is it safe to expose Prometheus on 9090?
No. With no authentication by default, anyone reaching 9090 can query metrics that map your internal infrastructure and abuse scrape targets for SSRF. Bind it internally and front it with an authenticating reverse proxy.