New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify actuator security documentation #30065
Clarify actuator security documentation #30065
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the pull request, @cmabdullah. I've left a couple of comments for your consideration.
@@ -316,8 +316,18 @@ TIP: If you want to implement your own strategy for when endpoints are exposed, | |||
|
|||
[[actuator.endpoints.security]] | |||
=== Security | |||
For security purposes, all actuators other than `/health` are disabled by default. | |||
You can use the configprop:management.endpoints.web.exposure.include[] property to enable the actuators. | |||
For security purposes, all actuator's endpoints that are exposed over HTTP are secret by default except `/health` endpoint. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The goal here is to consistently use the term "expose" but this change uses "secret". I think this sentence would be better if it was something like the following:
For security purposes, only the
/health
endpoint is exposed over HTTP by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated according to your suggestions, thanks for your concern.
spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc
Outdated
Show resolved
Hide resolved
@cmabdullah Thank you for making your first contribution to Spring Boot. |
No description provided.