From 3fdbfb51aa3b82b46255ce2a938a07255ac8c525 Mon Sep 17 00:00:00 2001 From: "Khan, C M Abdullah" Date: Fri, 4 Mar 2022 01:54:59 +0600 Subject: [PATCH 1/3] Clarify actuator security documentation --- .../src/docs/asciidoc/actuator/endpoints.adoc | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc index 41a7d9beb06c..918694c4c41b 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc @@ -316,8 +316,18 @@ TIP: If you want to implement your own strategy for when endpoints are exposed, [[actuator.endpoints.security]] === Security -For security purposes, all actuators other than `/health` are disabled by default. -You can use the configprop:management.endpoints.web.exposure.include[] property to enable the actuators. +For security purposes, all actuator's endpoints that are exposed over HTTP are secret by default except `/health` endpoint. +You can use the configprop:management.endpoints.web.exposure.include[] property to enable the actuator's endpoint. + +The following configuration expose `/info` and `/metrics` endpoint from the example.com domain: +[source,yaml,indent=0,subs="verbatim",configprops,configblocks] +---- + management: + endpoints: + web: + exposure: + include: ["info", "metrics"] +---- NOTE: Before setting the `management.endpoints.web.exposure.include`, ensure that the exposed actuators do not contain sensitive information, are secured by placing them behind a firewall, or are secured by something like Spring Security. From 25a12a95f2d382ea26c46a8164ed88e99e9e120f Mon Sep 17 00:00:00 2001 From: "Khan, C M Abdullah" Date: Fri, 4 Mar 2022 17:52:52 +0600 Subject: [PATCH 2/3] Clarify actuator security documentation --- .../spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc index 918694c4c41b..066eec5b8302 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc @@ -317,7 +317,7 @@ TIP: If you want to implement your own strategy for when endpoints are exposed, [[actuator.endpoints.security]] === Security For security purposes, all actuator's endpoints that are exposed over HTTP are secret by default except `/health` endpoint. -You can use the configprop:management.endpoints.web.exposure.include[] property to enable the actuator's endpoint. +You can use the configprop:management.endpoints.web.exposure.include[] property to expose the actuator's endpoint. The following configuration expose `/info` and `/metrics` endpoint from the example.com domain: [source,yaml,indent=0,subs="verbatim",configprops,configblocks] From 00281388dd7a401dfef123a29709e19e8d69267c Mon Sep 17 00:00:00 2001 From: "Khan, C M Abdullah" Date: Fri, 4 Mar 2022 20:08:03 +0600 Subject: [PATCH 3/3] Clarify actuator security documentation, 2. Resolved feedbacks --- .../src/docs/asciidoc/actuator/endpoints.adoc | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc index 066eec5b8302..72e2ecad666e 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc @@ -316,18 +316,8 @@ TIP: If you want to implement your own strategy for when endpoints are exposed, [[actuator.endpoints.security]] === Security -For security purposes, all actuator's endpoints that are exposed over HTTP are secret by default except `/health` endpoint. -You can use the configprop:management.endpoints.web.exposure.include[] property to expose the actuator's endpoint. - -The following configuration expose `/info` and `/metrics` endpoint from the example.com domain: -[source,yaml,indent=0,subs="verbatim",configprops,configblocks] ----- - management: - endpoints: - web: - exposure: - include: ["info", "metrics"] ----- +For security purposes, only the `/health` endpoint is exposed over HTTP by default. If you want to expose more endpoints, +you can use the configprop:management.endpoints.web.exposure.include[] property to expose the actuator's endpoint. NOTE: Before setting the `management.endpoints.web.exposure.include`, ensure that the exposed actuators do not contain sensitive information, are secured by placing them behind a firewall, or are secured by something like Spring Security.