APM Server exposes a HTTP endpoint and as with anything that opens ports on your servers, you should be careful about who can connect to it. We recommend using firewall rules to ensure only authorized systems can connect.
There is also the option of setting up SSL to ensure data sent to the APM Server is encrypted.
To enable SSL/TLS you need a private key and a certificate issued by a certification authority (CA).
Then you can specify the path to those files in the configuration properties
This will make the APM Server to serve HTTPS requests instead of HTTP.
Hence, you also need to enable SSL in the agent.
For agent specific details,
please check the agent documentation for how to do it.
You can configure a secret token which is sent with every request from the APM agents to the server. This string is used to ensure that only your agents can send data to your APM servers. Both the agents and the APM servers have to be configured with the same secret token.
The usage of a secret token only provides any security when used in combination with having SSL/TLS configured.