Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed
Description
Spring Boot Actuator provides built-in endpoints for monitoring and managing applications in production. While only the health and info endpoints are exposed by default, this application is configured to expose all Actuator endpoints using management.endpoints.web.exposure.include=*. This configuration makes sensitive management interfaces publicly accessible without proper access controls.
Remediation
Restrict Spring Boot Actuator endpoint exposure to only those endpoints required for your operational needs. Follow these steps to secure your configuration:
Step 1: Limit exposed endpoints in your application properties file (application.properties or application.yml):
# Only expose specific endpoints that are needed management.endpoints.web.exposure.include=health,info,metrics # Alternatively, exclude sensitive endpoints management.endpoints.web.exposure.exclude=heapdump,threaddump,env,shutdown
Step 2: Implement authentication and authorization for Actuator endpoints using Spring Security:
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "info")).permitAll()
.anyRequest().hasRole("ACTUATOR_ADMIN")
.and()
.httpBasic();
}
}
Step 3: Consider isolating Actuator endpoints on a separate management port accessible only from trusted networks:
# Expose actuator on a different port management.server.port=8081 management.server.address=127.0.0.1This configuration should be combined with network-level access controls (firewall rules) to restrict access to the management port.