Spring Boot Misconfiguration: Spring Boot Actuator shutdown endpoint is web exposed
Description
This Spring Boot application has the Actuator shutdown endpoint enabled and exposed via the web interface. The shutdown endpoint is a management feature that allows remote termination of the application. When exposed without proper security controls, this endpoint creates an unnecessary attack surface that could be exploited to disrupt application availability.
Remediation
Disable the Spring Boot Actuator shutdown endpoint unless there is a specific operational requirement for remote application shutdown. This endpoint should be disabled by default in production environments.
For Spring Boot 1.x, add the following to your application.properties or application.yml:
endpoints.shutdown.enabled=false
For Spring Boot 2.x and later, use:
management.endpoint.shutdown.enabled=false
If the shutdown endpoint must remain enabled for operational purposes, ensure it is protected by strong authentication, restricted to specific IP addresses or internal networks only, and excluded from public web exposure using the following configuration:
management.endpoints.web.exposure.exclude=shutdown