docs: add notes about disabling internal-backstage endpoints (#574)

docs/deploying.md

@@ -119,3 +119,22 @@ $ echo $?
 If you're hosting Edge with a self-signed certificate using the tls cli arguments, you should use
 the `--ca-certificate-file <file_containing_your_ca_and_key_in_pem_format>` flag (or the CA_CERTIFICATE_FILE environment
 variable) to allow the health checker to trust the self signed certificate.
+
+
+## Security considerations
+
+Edge by default exposes quite a few debug endpoints to help you understand what is going on.
+
+These endpoints can be sensitive, so you should protect them from public access. We recommend using a reverse proxy to protect these endpoints.
+When using a reverse proxy, all endpoints under `/internal-backstage` should be protected from public access.
+If you're exposing Edge to the public internet without a reverse proxy, each endpoint under `/internal-backstage` can be disabled at startup by setting
+the following flags:
+
+| CLI Flag | Environment variable | Description | URL |
+| --- | --- | --- | --- |
+| --disable-metrics-batch-endpoint | DISABLE_METRICS_BATCH_ENDPOINT | Disables the metrics batch endpoint | /internal-backstage/metricsbatch |
+| --disable-metrics-endpoint | DISABLE_METRICS_ENDPOINT | Disables the metrics endpoint | /internal-backstage/metrics |
+| --disable-tokens-endpoint | DISABLE_TOKENS_ENDPOINT | Disables the tokens endpoint | /internal-backstage/tokens |
+| --disable-features-endpoint | DISABLE_FEATURES_ENDPOINT | Disables the features endpoint | /internal-backstage/features |
+
+In addition /internal-backstage has the `/ready` and `/health` endpoints, but since these only return a 200 OK and a status, they are safe to expose.