Spring Boot Actuator Security Best Practices: Stop Leaking Your App’s Internals

Spring Boot Actuator is a double-edged sword. On one hand, it gives you a god-eye view of your application’s health, metrics, and environment variables. On the other hand, if you’re not following spring boot actuator security best practices, you’re essentially handing a map of your entire infrastructure to anyone with a web browser. I’ve seen production environments where the /env endpoint leaked database passwords in plaintext because a developer forgot to secure the actuator port.

In my experience, the ‘default’ settings are rarely enough for a production-grade system. Whether you are integrating a spring security oauth2 tutorial step by step approach or using basic auth, your monitoring endpoints must be locked down. Here are 10 practical tips to ensure your Actuator endpoints remain a tool for you and not a weapon for attackers.

1. Isolate Actuator on a Different Port

One of the most effective ways to reduce your attack surface is to move Actuator endpoints away from your main application port (usually 8080). By moving them to a dedicated management port, you can block that port at the firewall level for external traffic while allowing internal monitoring tools to access it.

# application.properties
management.server.port=8081

2. Apply the Principle of Least Privilege

Stop exposing everything. By default, Spring Boot only exposes /health and /info. Avoid the temptation to use management.endpoints.web.exposure.include=* in production. Explicitly list only what you need.

# Only expose health and prometheus metrics
management.endpoints.web.exposure.include=health,prometheus

3. Use Role-Based Access Control (RBAC)

Not every admin needs access to the /heapdump or /loggers endpoints. I recommend creating a specific role, such as ROLE_MONITOR, and restricting access via Spring Security.

@Bean
public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http) throws Exception {
    http.requestMatchers("/actuator/**").hasRole("MONITOR")
        .and().httpBasic();
    return http.build();
}

4. Sanitize Sensitive Environment Variables

The /env endpoint is dangerous. Even with security, it’s best to sanitize keys that might contain secrets. Spring Boot allows you to mask these values so they appear as asterisks.

# Mask keys containing 'password', 'secret', or 'key'
management.endpoint.env.keys-to-sanitize=password,secret,key,token

5. Disable Unnecessary Endpoints Entirely

If you don’t use the /shutdown endpoint (which I rarely do in containerized environments like Kubernetes), disable it completely. An exposed shutdown endpoint is a trivial way for an attacker to perform a Denial of Service (DoS) attack.

management.endpoint.shutdown.enabled=false

6. Integrate with a Centralized Logging Framework

Security isn’t just about blocking; it’s about visibility. If someone is brute-forcing your actuator endpoints, you need to know. Pair your security config with a robust logging strategy. If you’re unsure which one to pick, check out my best spring boot logging frameworks review to set up proper auditing.

7. Use HTTPS for All Management Traffic

Since Actuator endpoints often transmit sensitive metadata, sending this over HTTP is a huge risk. Use SSL/TLS to encrypt the traffic between your monitoring tool (like Prometheus or Grafana) and your application.

8. Implement Rate Limiting

Endpoints like /metrics or /heapdump can be resource-intensive. A malicious actor could spam these endpoints to exhaust your JVM memory. Implement a rate limiter at the API Gateway level or using a library like Resilience4j.

9. Avoid Hardcoding Secrets in Properties

Actuator’s /env can sometimes reveal where secrets are being pulled from. Avoid application.properties for secrets; use environment variables or a secret manager (like HashiCorp Vault or AWS Secrets Manager).

10. Regular Security Audits and Pentesting

Periodically run a scan using tools like OWASP ZAP or Burp Suite specifically against your /actuator paths. It’s better for you to find the leak than for a bug bounty hunter (or a hacker) to find it.

Common Mistakes I See in Production

• The “Include All” Trap: Using include=* in properties and assuming the firewall is enough. Firewalls can be misconfigured; defense in depth is key.
• Ignoring the /heapdump: Forgetting that /heapdump can contain plaintext passwords and session tokens present in memory.
• Default Passwords: Using spring as the username and password as the password for basic auth on management ports.

Measuring Success: How do you know it’s secure?

To validate your spring boot actuator security best practices implementation, try the “Outside-In” test: Attempt to curl your actuator endpoints from a machine outside your VPC. If you get a 401 Unauthorized or 403 Forbidden for everything except /health, you’re on the right track. Additionally, monitor your logs for a spike in 4xx errors on the /actuator path, which usually indicates scanning activity.

Ready to harden your entire Java stack? Start by implementing a robust authentication layer. If you’re moving toward microservices, my OAuth2 guide is the perfect next step to complement these actuator tips.