As pointed out in by @joaopgrassi and team in #17 (comment).
The metric attributes server.address and server.port on the http.server.* metrics can be manipulated externally by spoofing the HTTP Host header, which can lead to similar cardinality problems and degraded observability as open-telemetry/opentelemetry-specification#3470 (http.request.method).
After discussing with @lmolkova, our recommendation is make server.address and server.port Opt-In on all http.server.* metrics.
We believe that the majority of instrumented apps do not expose multiple virtual hosts/ports, and that the service.name resource attribute is a reasonable alternative to server.address and server.port in these cases.
As pointed out in by @joaopgrassi and team in #17 (comment).
The metric attributes
server.addressandserver.porton thehttp.server.*metrics can be manipulated externally by spoofing the HTTP Host header, which can lead to similar cardinality problems and degraded observability as open-telemetry/opentelemetry-specification#3470 (http.request.method).After discussing with @lmolkova, our recommendation is make
server.addressandserver.portOpt-In on allhttp.server.*metrics.We believe that the majority of instrumented apps do not expose multiple virtual hosts/ports, and that the
service.nameresource attribute is a reasonable alternative toserver.addressandserver.portin these cases.