gotchajavaspringCritical
Spring Boot Actuator endpoints exposed in production without authentication
Viewed 0 times
actuatorsecurityenv endpointheapdumpexposuremanagement endpointsproduction hardening
Problem
Spring Boot Actuator endpoints like /actuator/env, /actuator/heapdump, and /actuator/beans expose sensitive configuration and runtime data. By default in production-like environments they may be reachable without authentication, leaking secrets and internal structure.
Solution
Restrict which endpoints are exposed and secure them with Spring Security:
Secure the management endpoints in Spring Security:
For the health endpoint only, permitAll is reasonable so load balancers can probe it without credentials.
management:
endpoints:
web:
exposure:
include: health,info,metrics,prometheus # whitelist only
endpoint:
health:
show-details: when-authorized
server:
port: 8081 # separate management portSecure the management endpoints in Spring Security:
.requestMatchers("/actuator/**").hasRole("ADMIN")For the health endpoint only, permitAll is reasonable so load balancers can probe it without credentials.
Why
The /actuator/env endpoint displays all resolved environment properties including masked but still guessable secrets. The /actuator/heapdump endpoint allows downloading a full heap dump which can contain cleartext passwords and tokens in memory.
Gotchas
- spring.jmx.enabled=false should be set to prevent JMX exposure of the same endpoints
- management.server.port puts actuator on a separate port — useful to block it at the network/firewall level
- health.show-details: when-authorized requires the caller to be authenticated; always-never shows component details to anyone
Revisions (0)
No revisions yet.