Spring Boot Misconfiguration: Developer tools enabled on production
Description
This Spring Boot application has the spring-boot-devtools module enabled in a production environment. The DevTools module is designed exclusively for development purposes and provides features such as automatic restarts, live reload, remote debugging capabilities, and relaxed security configurations. When enabled in production, it exposes sensitive application internals and development-only endpoints that should never be accessible outside of a local development environment.
Remediation
Remove the spring-boot-devtools dependency from your production builds immediately. This can be accomplished by:
1. For Maven projects, ensure the dependency is scoped to development only in your pom.xml:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>2. For Gradle projects, use the developmentOnly configuration in your build.gradle:
dependencies {
developmentOnly 'org.springframework.boot:spring-boot-devtools'
}3. Verify your production build process excludes DevTools by checking that the packaged JAR/WAR does not contain the spring-boot-devtools library.
4. If DevTools must remain in the codebase for development, explicitly disable it in production by setting the property spring.devtools.restart.enabled=false in your production configuration files, though complete removal is the preferred approach.