Spring Boot Actuator is a useful feature that provides developers with a set of tools to monitor and manage their applications. However, some of the actuator endpoints are sensitive and can potentially expose sensitive information about your application. In this article, we’ll explore different ways to secure these endpoints to ensure your application is protected.
Which actuator endpoints are sensitive?
Spring Boot treats all but ‘/health‘ and ‘/info‘ endpoints as sensitive. This is because sensitive endpoints expose information or functionality that should not be available to untrusted clients. Below is a list of endpoints that are considered sensitive and should be exposed without proper authentication:
- /auditevents: Exposes audit events information for the current application. Requires an AuditEventRepository bean.
- /beans: Displays a complete list of all the Spring beans in your application.
- /caches: Exposes available caches.
- /conditions: Shows the conditions that were evaluated on configuration and auto-configuration classes and the reasons why they did or did not match.
- /configprops: Displays a collated list of all @ConfigurationProperties.
- /env: Exposes properties from Spring’s ConfigurableEnvironment.
- /flyway: Shows any Flyway database migrations that have been applied. Requires one or more Flyway beans.
- /httpexchanges: Displays HTTP exchange information (by default, the last 100 HTTP request-response exchanges). Requires an HttpExchangeRepository bean.
- /integrationgraph: Shows the Spring Integration graph. Requires a dependency on spring-integration-core.
- /loggers: Shows and modifies the configuration of loggers in the application.
- /mappings: Displays a collated list of all @RequestMapping paths.
- /metrics: Shows ‘metrics’ information for the current application.
- /scheduledtasks: Displays the scheduled tasks in your application.
- /sessions: Allows retrieval and deletion of user sessions from a Spring Session-backed session store. Requires a Servlet-based web application using Spring Session.
- /shutdown: Lets the application be gracefully shutdown. Disabled by default.
- /threaddump: Performs a thread dump.
How to change the sensitivity of Actuator Endpoint?
You can change the sensitivity of any endpoint by using the management.endpoint.<id>.sensitive
property. For example, to make the /env endpoint non-sensitive, you can set:
management.endpoint.env.sensitive=false
By default, the /env
endpoint is considered a sensitive endpoint and requires authentication to access.
Setting the property to false
makes the /env
endpoint non-sensitive, which means it can be accessed without authentication. This can be useful in some cases where you want to allow public access to your application’s environment properties, such as in a development environment or for diagnostic purposes.
However, it’s important to note that making sensitive endpoints non-sensitive can pose a security risk, as it may expose sensitive information to unauthorized users. Therefore, it’s important to carefully consider the security implications before making any changes to the sensitivity of Spring Boot Actuator endpoints.
How to secure Actuator endpoints in Spring Boot?
There are several ways to secure actuator endpoints in Spring Boot:
- Basic Authentication: One way to secure actuator endpoints is to use basic authentication. Spring Boot Actuator provides built-in support for basic authentication, allowing you to specify a username and password for accessing the endpoints. You can do this by adding the following properties to your application.properties file:
management.endpoints.web.exposure.include=* spring.security.user.name=admin spring.security.user.password=admin
This will enable basic authentication for all actuator endpoints and set the username and password to admin.
- IP Address Restrictions: IP address restrictions can be used to restrict access to Spring Boot Actuator endpoints based on the IP address of the client making the request. This can be a useful way to limit access to sensitive endpoints to a specific set of IP addresses, such as those belonging to your organization.To configure IP address restrictions, you can use the
management.endpoint.<id>.allowed-ip
property, where<id>
is the ID of the endpoint you want to restrict. For example, to restrict access to the/health
endpoint to a specific IP address, you can add the following property to your application.properties file:management.endpoint.health.allowed-ip=192.168.0.1
This configuration will only allow requests to the
/health
endpoint from the IP address192.168.1.100
.You can also specify a list of IP addresses separated by commas, or use CIDR notation to specify a range of IP addresses. For example:
management.endpoint.health.allowed-ip=192.168.0.1, 192.168.0.2/24
This configuration will allow requests to the
/health
endpoint from either192.168.1.100
or any IP address in the range192.168.1.101
to192.168.1.254
.It’s important to note that IP address restrictions should not be used as the only security measure to protect sensitive endpoints, as IP addresses can be easily spoofed. Therefore, it’s recommended to combine IP address restrictions with other authentication and authorization mechanisms, such as basic authentication or role-based access control.
- Role-based Access Control: Spring Boot also provides support for role-based access control for actuator endpoints. This allows you to specify which roles are allowed to access certain endpoints. You can do this by adding the following properties to your application.properties file:
management.endpoints.web.exposure.include=* management.endpoint.health.show-details=always management.endpoint.health.roles=ACTUATOR_ADMIN management.endpoints.web.exposure.include=health,info,metrics,trace spring.security.user.name=admin spring.security.user.password=admin spring.security.ignored=/** management.endpoint.info.enabled=false
In this example, we have allowed only the ACTUATOR_ADMIN role to access the health endpoint. This means that only users with the ACTUATOR_ADMIN role will be able to access this endpoint.
How to disable actuator endpoints security?
If you want to disable actuator endpoints security altogether, you can do so by adding the following property to your application.properties file:
management.security.enabled=false
This will disable security for all actuator endpoints. However, it’s important to note that this is not recommended as it can expose sensitive information about your application to unauthorized users.
Final words
In conclusion, securing actuator endpoints in Spring Boot is essential to ensure the safety and confidentiality of your application. Basic authentication, IP address restrictions, and role-based access control are some of the ways to achieve this. Remember, always be careful when dealing with sensitive information, and implement security measures accordingly.