Secure Spring Boot Actuator: Prevent Sensitive Data Exposure
This article explains how Spring Boot Actuator can unintentionally expose sensitive endpoints like /env, /configprops, and /threaddump, and provides detailed configuration and custom sanitizing techniques to protect confidential information in production environments.
Environment: Spring Boot 2.7.18
1. Introduction
The Spring Boot Actuator module provides production‑ready features for monitoring and interacting with an application. Built‑in endpoints such as /health expose health information, but misconfiguration can create security risks that must be avoided.
2. Security Vulnerabilities
When Actuator is enabled with the default configuration, all endpoints are exposed without restriction:
<code>management:
endpoints:
web:
cors:
allow-credentials: true
allowed-headers: '*'
allowed-origins: ''
base-path: /ac
exposure:
include: '*'
</code>This exposes sensitive endpoints such as /env , /configprops , and /threaddump , which can reveal complete system information.
/configprops
/env
/threaddump
Exposing these endpoints can lead to serious security incidents, especially the /configprops endpoint which may leak private configuration data.
3. Solutions
3.1 Configuration Properties
Spring Boot automatically sanitizes keys ending with password , secret , key , token , vcap_services , or sun.java.command . For example, the following custom configuration demonstrates how a user‑defined property is handled:
<code>@ConfigurationProperties(prefix = "pack.sys")
public class PackProperties {
private String name;
private String password;
private String idNo;
}
# application.yml
pack:
sys:
name: pack
password: 123123
idNo: 11099111919919191
</code>Note: Any key ending with the listed patterns will be sanitized.
To add additional keys such as idNo , use the additional-keys-to-sanitize property:
<code>management:
endpoint:
configprops:
additional-keys-to-sanitize:
- idNo
</code>Keys matching the pattern .*credentials.* are also automatically sanitized:
Spring Boot also sanitizes URI‑type values for the following keys:
address
addresses
uri
uris
url
urls
Example configuration for URI sanitization:
<code>pack:
sys:
name: pack
password: 123123
idNo: 11099111919919191
packCredentials: 66666666
ftpUrl: ftp://pack:[email protected]/
</code>3.2 Environment Information
The /env endpoint can be secured similarly:
<code>management:
endpoint:
env:
additional-keys-to-sanitize:
- port
- ...
</code>Both /env and /configprops share the keys-to-sanitize property with default values: password, secret, key, token, .credentials., vcap_services, sun.java.command .
3.3 Custom Sanitizing Function
For finer control, implement a custom SanitizingFunction bean:
<code>@Component
public class PackSanitizingFunction implements SanitizingFunction {
@Override
public SanitizableData apply(SanitizableData data) {
if (data.getKey().endsWith("email")) {
return data.withValue("###");
}
return data;
}
}
</code>3.4 Other Endpoint Security
Endpoints such as /threaddump and /heapdump should be disabled or protected with Spring Security:
<code>@Bean
SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http) throws Exception {
http.csrf(csrf -> csrf.disable());
http.authorizeHttpRequests().antMatchers("/ac/env").hasRole("ADMIN");
http.authorizeHttpRequests().antMatchers("/ac/**").hasRole("ACTUATOR");
http.authorizeHttpRequests().anyRequest().permitAll();
http.formLogin(customizer -> Customizer.withDefaults());
return http.build();
}
</code>Using Spring Security you can control access to all Actuator endpoints without needing to disable them individually.
Spring Full-Stack Practical Cases
Full-stack Java development with Vue 2/3 front-end suite; hands-on examples and source code analysis for Spring, Spring Boot 2/3, and Spring Cloud.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.