The SkyWalking OAP server, UI, and agent deployments should run in a secure environment, such as only inside your data center. OAP server, UI, and agent deployments should only be reachable by the operation team on default deployment.
All telemetry data are trusted. The OAP server would not validate any field of the telemetry data to avoid extra load for the server.
It is up to the operator(OPS team) whether to expose the OAP server, UI, or some agent deployment to unsecured environment. The following security policies should be considered to add to secure your SkyWalking deployment.
sw8-correlation) when requests are from out of the trusted zone. Or simply block/remove those headers unless you are using the client-js agent.
For some sensitive environment, consider to limit the telemetry report frequency in case of DoS/DDoS for exposed OAP and UI services.
The SkyWalking client-js agent is always running out of the secured environment. Please follow its security notice for more details.