I suspect the bucket that is being used is not password protected as a result the stats for it are not protected. Once the bucket has a password then the stats for it can only be accessed via an authenticated user.
Here is an example of trying to access the stats for a password protect bucket, as expected a 401 error is returned.
$ curl -v http://localhost:8091/pools/default/buckets/test-bucket/stats
* Trying ::1...
* connect to ::1 port 8091 failed: Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8091 (#0)
> GET /pools/default/buckets/test-bucket/stats HTTP/1.1
> Host: localhost:8091
> User-Agent: curl/7.43.0
> Accept: */*
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="Couchbase Server Admin / REST"
< Server: Couchbase Server
< Pragma: no-cache
< Date: Wed, 29 Jun 2016 19:08:20 GMT
< Content-Length: 0
< Cache-Control: no-cache
* Connection #0 to host localhost left intact
In a production environment we strong recommend that a bucket is always password protected. It is also worth mentioning that bucket configuration cannot be changed without being authenticated whether the bucket is password protected or not.