diff --git a/authelia.subdomain.conf.sample b/authelia.subdomain.conf.sample
index 1a5a0dd..fd06a73 100644
--- a/authelia.subdomain.conf.sample
+++ b/authelia.subdomain.conf.sample
@@ -42,6 +42,10 @@ server {
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
+        # block metrics access by default because it is unprotected
+        # you can comment out the next line to enable remote metrics
+        deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app authelia;
diff --git a/authentik.subdomain.conf.sample b/authentik.subdomain.conf.sample
index fb6a016..7b22778 100644
--- a/authentik.subdomain.conf.sample
+++ b/authentik.subdomain.conf.sample
@@ -38,6 +38,10 @@ server {
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
+        # block metrics access by default because it is unprotected
+        # you can comment out the next line to enable remote metrics
+        deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app authentik-server;
diff --git a/grafana.subdomain.conf.sample b/grafana.subdomain.conf.sample
index b819617..7e1a95e 100644
--- a/grafana.subdomain.conf.sample
+++ b/grafana.subdomain.conf.sample
@@ -62,6 +62,10 @@ server {
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
+        # block metrics access by default because it is unprotected
+        # you can comment out the next line to enable remote metrics
+        deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app grafana;
diff --git a/grafana.subfolder.conf.sample b/grafana.subfolder.conf.sample
index 4d658e0..b6f9a36 100644
--- a/grafana.subfolder.conf.sample
+++ b/grafana.subfolder.conf.sample
@@ -54,6 +54,10 @@ location ^~ /grafana/metrics {
     #auth_basic "Restricted";
     #auth_basic_user_file /config/nginx/.htpasswd;
 
+    # block metrics access by default because it is unprotected
+    # you can comment out the next line to enable remote metrics
+    deny all;
+
     include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_grafana grafana;
diff --git a/prometheus.subdomain.conf.sample b/prometheus.subdomain.conf.sample
index a0ef8dd..b937208 100644
--- a/prometheus.subdomain.conf.sample
+++ b/prometheus.subdomain.conf.sample
@@ -73,6 +73,10 @@ server {
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
+        # block metrics access by default because it is unprotected
+        # you can comment out the next line to enable remote metrics
+        deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app prometheus;