What is Securing actuator endpoints in Spring Boot?

Spring Bootframework~5 mins

Securing actuator endpoints in Spring Boot

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Actuator endpoints give important info about your app. Securing them stops strangers from seeing or changing this info.

When you want to protect app health and metrics info from public access.

When deploying your app in production and need to limit who can see sensitive data.

When you want to require login or special roles to access management endpoints.

When you want to disable some actuator endpoints for security reasons.

When you want to use HTTPS and authentication for actuator URLs.

Syntax

Spring Boot

management.endpoints.web.exposure.include=health,info,env
management.endpoint.health.show-details=when_authorized
spring.security.user.name=admin
spring.security.user.password=secret
spring.security.user.roles=ADMIN

# In Java config
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
      .authorizeHttpRequests(auth -> auth
        .requestMatchers("/actuator/health", "/actuator/info").permitAll()
        .requestMatchers("/actuator/**").hasRole("ADMIN")
        .anyRequest().authenticated()
      )
      .httpBasic();
    return http.build();
}

You configure which endpoints are exposed using management.endpoints.web.exposure.include.

Use Spring Security to require login or roles for actuator URLs.

Examples

Only health, info, and env endpoints are visible over HTTP.

Spring Boot

management.endpoints.web.exposure.include=health,info,env

Health details show only if user is authorized.

Spring Boot

management.endpoint.health.show-details=when_authorized

Sets a simple ADMIN user with username and password for basic auth.

Spring Boot

spring.security.user.name=admin
spring.security.user.password=secret
spring.security.user.roles=ADMIN

Java config to allow public access to health and info, but require ADMIN role for other actuator endpoints.

Spring Boot

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
      .authorizeHttpRequests(auth -> auth
        .requestMatchers("/actuator/health", "/actuator/info").permitAll()
        .requestMatchers("/actuator/**").hasRole("ADMIN")
        .anyRequest().authenticated()
      )
      .httpBasic();
    return http.build();
}

Sample Program

This Spring Boot app configures security so anyone can see /actuator/health and /actuator/info without login. Other actuator endpoints need login with ADMIN role. Basic auth is used.

Spring Boot

package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@SpringBootApplication
public class DemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
          .authorizeHttpRequests(auth -> auth
            .requestMatchers("/actuator/health", "/actuator/info").permitAll()
            .requestMatchers("/actuator/**").hasRole("ADMIN")
            .anyRequest().authenticated()
          )
          .httpBasic();
        return http.build();
    }
}

OutputSuccess

Important Notes

Always test actuator security in your environment before deploying.

Use HTTPS to protect credentials sent with basic auth.

You can customize roles and users with Spring Security for better control.

Summary

Actuator endpoints show app info and need protection.

Use management.endpoints.web.exposure.include to choose visible endpoints.

Use Spring Security to require login or roles for actuator URLs.