Spring Boot Actuator
Description
Spring Boot Actuator provides production-ready endpoints for monitoring and managing applications. When exposed without proper security controls, these endpoints reveal sensitive operational data including application configuration, environment variables, bean definitions, request mappings, thread dumps, and system metrics. This vulnerability occurs when Actuator endpoints are accessible without authentication, particularly in production environments where they should be restricted or disabled.
Remediation
Implement the following security controls for Spring Boot Actuator endpoints in production environments:
1. Disable unnecessary endpoints:
management.endpoints.enabled-by-default=false management.endpoint.health.enabled=true management.endpoint.info.enabled=true
2. Require authentication for all Actuator endpoints:
management.endpoints.web.exposure.include=health,info management.endpoints.web.base-path=/actuator management.endpoint.health.show-details=when-authorized
3. Use Spring Security to protect endpoints:
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR_ADMIN")
.and().httpBasic();
}
}4. Change the default base path to a non-obvious value and restrict network access using firewall rules to allow only trusted IP addresses or internal networks.