How to Secure Spring Boot Actuator Endpoints

A Quick Guide to Spring Boot Actuator Security. Learn how to secure actuator endpoints with the help of example.

Secure Actuator Endpoints

The Actuator endpoints reveal sensitive information about the application. Hence, anyone who has access to the actuator endpoint can know things like the Beans, properties configurations and other metrics about the application. Therefore, it is really important to put some access restriction on those endpoints.

Sensitive Endpoints

Spring Boot treats all but “/health” and “/info” endpoints as sensitive. Hence, spring boot disables all those endpoints by-default. However, you can enable these endpoints using the properties configuration.

Enable All Endpoints

management: endpoints: web: exposure: include: '*'
Code language: YAML (yaml)

Enable Specific Endpoints

management: endpoints: web: exposure: include: ["beans", "metrics"]
Code language: YAML (yaml)

However, the endpoints are not secured. Because, now everyone can see the enabled endpoints. Hence we need to put a password protected mechanism to secure them.

Password Protected Actuator Endpoints

To password protect the endpoints, you need to add starter dependency on Spring Security.


implementation 'org.springframework.boot:spring-boot-starter-security'
Code language: Gradle (gradle)


<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
Code language: HTML, XML (xml)

Thanks to Spring Bot Auto Configuration. It automatically initialises all the security related components. However, you just need to define a username and password. See the below configuration.

spring: security: user: name: monitor password: monitor123
Code language: YAML (yaml)

This is all you need to do, in order to secure spring boot actuator endpoints.

Access Secured Endpoints

Firstly, start the application and try accessing any sensitive endpoint and you should get “401 Unauthorized” response.

~ curl -X GET http://localhost:8081/actuator/beans ---- { "timestamp":"2019-02-25T20:44:35.388+0000", "status":401, "error":"Unauthorized", "message":"Unauthorized", "path":"/actuator/beans" }
Code language: Bash (bash)

Then, Add Authorization Header with Basic Auth.
You can generate the Basic Auth Token in Postman. Otherwise, simply open actuator endpoint in a Browser and it will prompt from username/password.

➜ ~ curl -X GET \ http://localhost:8081/actuator/beans \ -H 'Authorization: Basic bW9uaXRvcjptb25pdG9yMTIz' --- { "contexts":{ "Songs Service":{ "beans":{ "endpointCachingOperationInvokerAdvisor":{ "ali ...... //Skipped
Code language: Bash (bash)


To sum up, in this Spring Boot Actuator Security tutorial you learnt How to secure actuator endpoints. Also you learnt that the spring boot actuator endpoints are secured by default. Which can be enabled using the properties configuration. Moreover, you can also password protect the endpoints using Spring Security module.

Also, Spring Boot auto configures the Spring Security module and you only need to define username and password for the endpoints. Finally, direct access to endpoints results in “401 Unauthorized” response.

Full source code of the examples used here, is available at our Github Repository.