Spring Boot Misconfiguration: Actuator endpoint security disabled
Description
This Spring Boot web application has disabled authentication for all Spring Boot Actuator endpoints. Actuator endpoints provide monitoring and management capabilities, including health checks, metrics, environment properties, and heap dumps. The application is configured with management.security.enabled=false, which removes authentication requirements from these sensitive administrative endpoints, making them publicly accessible.
Remediation
Enable authentication for Spring Boot Actuator endpoints. The remediation approach depends on your Spring Boot version:
For Spring Boot 1.x applications:
Set the following property in your application.properties or application.yml file:
management.security.enabled=true
For Spring Boot 2.x and later:
The
management.security.enabled property is deprecated. Instead, configure endpoint security using Spring Security. Add the following to your security configuration class:
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
Additionally, consider exposing only necessary endpoints using:
management.endpoints.web.exposure.include=health,info
For production environments, also consider isolating Actuator endpoints on a separate management port accessible only from trusted networks.