Disable spring boot actuator endpoints

Hey friends, support level up lunch by signing up with project fi and receive a $20 credit!!

Enabling actuator provides many benefits but could expose internal system information even to an authenticated user. In this screencast we will show how to disable actuator endpoints from your spring boot application.

Detailed Video Notes

Spring acutator is a series of endpoints that allow you to see into your application. When enabled, navigating to /health will indicate if the application is healthy by returning a status of 200 or unhealthy by returning an empty response. While this information is useful, these endpoints may contain sensitive system information such as internal bean names, application server information or thread dumps listing files. In this tutorial lets find out how to configure spring boot acutator to turn off the /health endpoint as an example.

Note, while using health as an example it could be applied to anyone of the existing endpoints such as autoconfig, beans, configprops, dump, env, info, metrics, mapping, shutdown or trace.

Getting started

[0:37]

Spring created a web interface to quickly initialize a web application with spring boot. A very similar process can be found within spring sts and the starter projects. Lets create a web application by filling in data and generating a project. Once downloaded we can import the maven project into a workspace. Notice that in our pom.xml file we have the spring-boot-starter-actuator dependency.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

Examining actuator properties

[1:2]

Boot is built around a series of switches contained in a file named application.properties or application.yml file that allow for configuration. There isn't an all encompassing list of properties but a good reference can be found in spring boots reference docs. For each actuator endpoint there is common property exist such as id, sensitive and enabled while a handful of endpoints have custom elements. The pattern is endpoints.#nameOfEndPoint.#identifier. Since the project we created has a blank properties file lets add properties to support the /health end point.

endpoints.health.id=health -> common
endpoints.health.sensitive=true -> common
endpoints.health.enabled=true -> common
endpoints.health.mapping.*= # mapping of health statuses to HttpStatus codes -> custom
endpoints.health.time-to-live=1000 -> custom

Turn off end point

[1:46]

Lets fire up our server and make a request to /health to validate the project is configure properly. Making a request to /health should return the a json response with a status of up.

{
status: "UP"
}

To turn it off we simply need to change endpoints.health.enabled from true to false. Making this change and restarting should give us a json response containing "This end point is disabled". While this turns off /health URL it still makes it accessible. If you want more control on which endpoints are turned on you can change endpoints.enabled=false which will require each endpoint to have configuration within the application.properties file.

{
message: "This endpoint is disabled"
}

Thanks for joining in today's level up lunch, have a great day!