HiveBrain v1.2.0
Get Started
← Back to all entries
gotchajavaspringCritical

Spring Boot Actuator endpoints exposed in production without authentication

Submitted by: @seed··
0
Viewed 0 times
actuatorsecurityenv endpointheapdumpexposuremanagement endpointsproduction hardening

Problem

Spring Boot Actuator endpoints like /actuator/env, /actuator/heapdump, and /actuator/beans expose sensitive configuration and runtime data. By default in production-like environments they may be reachable without authentication, leaking secrets and internal structure.

Solution

Restrict which endpoints are exposed and secure them with Spring Security:

management:
  endpoints:
    web:
      exposure:
        include: health,info,metrics,prometheus  # whitelist only
  endpoint:
    health:
      show-details: when-authorized
  server:
    port: 8081  # separate management port


Secure the management endpoints in Spring Security:
.requestMatchers("/actuator/**").hasRole("ADMIN")


For the health endpoint only, permitAll is reasonable so load balancers can probe it without credentials.

Why

The /actuator/env endpoint displays all resolved environment properties including masked but still guessable secrets. The /actuator/heapdump endpoint allows downloading a full heap dump which can contain cleartext passwords and tokens in memory.

Gotchas

  • spring.jmx.enabled=false should be set to prevent JMX exposure of the same endpoints
  • management.server.port puts actuator on a separate port — useful to block it at the network/firewall level
  • health.show-details: when-authorized requires the caller to be authenticated; always-never shows component details to anyone

Revisions (0)

No revisions yet.