BestHub
Sign in
Backend Development 8 min read

Unlocking Spring Boot Actuator: Secure Configuration and Hidden Risks

This article explains what Spring Boot Actuator is, how to quickly add and configure it, details the available endpoints, illustrates common security pitfalls such as exposing sensitive configuration, and provides practical recommendations to safely use Actuator in production environments.

Programmer DD
Programmer DD
Programmer DD
Unlocking Spring Boot Actuator: Secure Configuration and Hidden Risks

Preface

Spring Boot Actuator is often added to projects via spring-boot-starter-actuator but many developers neither use its features nor understand its security implications.

What is Spring Boot Actuator?

Actuator provides endpoints to monitor health, environment, metrics, traces, and more, as well as functions for graceful shutdown and memory dumps.

Quick Start

Step 1: Add Dependency

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
    <version>2.4.4</version>
</dependency>

Step 2: Understand Endpoints

beans : list all beans in the Spring container.

configprops : show objects annotated with @ConfigurationProperties.

env : display environment properties from application.yaml.

health : health‑check endpoint.

info : application information.

metrics : application metrics.

mappings : endpoints related to @RequestMapping.

shutdown : graceful shutdown.

Step 3: Enable and Expose Endpoints

Each endpoint has an enabled flag (default true except shutdown) and an exposure setting (default only health and info are exposed). If an endpoint is disabled, its code is not loaded.

Typical configurations:

management:
  endpoints:
    web:
      exposure:
        include: "*"
  endpoint:
    shutdown:
      enabled: true
management:
  endpoints:
    enabled-by-default: false
  endpoint:
    info:
      enabled: true
  endpoints:
    web:
      exposure:
        include: "info"
management:
  endpoints:
    enabled-by-default: false

Security Risks

Exposed endpoints can leak sensitive configuration. For example, with the following application.yaml:

server:
  port: 8080
spring:
  datasource:
    url: jdbc:mysql://testDbHost:3306/kirito
    username: kirito
    password: 123456
kirito:
  ak: kirito@xxx_ak
  sk: kirito@xxx_sk
management:
  endpoints:
    web:
      exposure:
        include: "*"

Accessing http://localhost:8080/actuator/env returns all properties, including custom secrets like kirito.ak and kirito.sk, while built‑in passwords are masked.

Real‑world cases that expose these endpoints include misconfigured reverse proxies, public load balancers in test environments, and compromised machines.

Security Recommendations

Expose only the endpoints you actually need; avoid management.endpoints.web.exposure.include=*.

Run actuator endpoints on a separate port (e.g., management.port=8099) to isolate them from the main web service.

Add spring-boot-starter-security and configure access control for each endpoint.

Consider whether you really need spring-boot-starter-actuator; if not, remove the dependency.

Have you secured your Spring Boot Actuator endpoints?

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

JavaBackend DevelopmentConfigurationSpring BootSecurityActuator
Programmer DD
Written by

Programmer DD

A tinkering programmer and author of "Spring Cloud Microservices in Action"

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment