diff --git a/cmd/registry/config.yml b/cmd/registry/config.yml
index bf79ca8f7..4919e6dbe 100644
--- a/cmd/registry/config.yml
+++ b/cmd/registry/config.yml
@@ -5,3 +5,6 @@ storage:
         rootdirectory: /tmp/registry-dev
 http:
     addr: :5000
+    secret: asecretforlocaldevelopment
+    debug:
+        addr: localhost:5001
diff --git a/cmd/registry/main.go b/cmd/registry/main.go
index 73c85ae1f..98f3d5bda 100644
--- a/cmd/registry/main.go
+++ b/cmd/registry/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	_ "expvar"
 	"flag"
 	"fmt"
 	"net/http"
@@ -47,6 +48,10 @@ func main() {
 	handler = handlers.CombinedLoggingHandler(os.Stdout, handler)
 	log.SetLevel(logLevel(config.Loglevel))
 
+	if config.HTTP.Debug.Addr != "" {
+		go debugServer(config.HTTP.Debug.Addr)
+	}
+
 	if config.HTTP.TLS.Certificate == "" {
 		log.Infof("listening on %v", config.HTTP.Addr)
 		if err := http.ListenAndServe(config.HTTP.Addr, handler); err != nil {
@@ -142,3 +147,13 @@ func configureReporting(app *registry.App) http.Handler {
 
 	return handler
 }
+
+// debugServer starts the debug server with pprof, expvar among other
+// endpoints. The addr should not be exposed externally. For most of these to
+// work, tls cannot be enabled on the endpoint, so it is generally separate.
+func debugServer(addr string) {
+	log.Infof("debug server listening %v", addr)
+	if err := http.ListenAndServe(addr, nil); err != nil {
+		log.Fatalf("error listening on debug interface: %v", err)
+	}
+}
diff --git a/configuration/configuration.go b/configuration/configuration.go
index 8dd71e78f..0cf5bc02a 100644
--- a/configuration/configuration.go
+++ b/configuration/configuration.go
@@ -54,6 +54,14 @@ type Configuration struct {
 			// Certificate.
 			Key string `yaml:"key"`
 		} `yaml:"tls"`
+
+		// Debug configures the http debug interface, if specified. This can
+		// include services such as pprof, expvar and other data that should
+		// not be exposed externally. Left disabled by default.
+		Debug struct {
+			// Addr specifies the bind address for the debug server.
+			Addr string `yaml:"addr"`
+		} `yaml:"debug"`
 	} `yaml:"http"`
 }