How do I enable and secure Spring Boot Actuator endpoints?

Question

I want to use Spring Boot Actuator to monitor my application in production. I added the dependency but all endpoints are exposed.

How do I:
1. Enable only specific endpoints (health, info, metrics)
2. Secure them with authentication
3. Change the base path from /actuator

Any best practices for production?

micro_king · Accepted Answer

Here's how to configure Actuator properly for production:

**application.yml:**
```yaml
management:
  endpoints:
    web:
      base-path: /admin  # Change from /actuator
      exposure:
        include: health,info,metrics,prometheus
  endpoint:
    health:
      show-details: when_authorized
      show-components: always
  server:
    port: 8081  # Run on separate port
```

**Security Configuration:**
```java
@Configuration
@EnableWebSecurity
public class ActuatorSecurityConfig {

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .securityMatcher(EndpointRequest.toAnyEndpoint())
            .authorizeHttpRequests(auth -> auth
                .requestMatchers(EndpointRequest.to("health", "info")).permitAll()
                .anyRequest().authenticated()
            )
            .httpBasic(Customizer.withDefaults());
        return http.build();
    }
}
```

**Best Practices:**
- Never expose env, beans, or heapdump in production
- Use a separate port or IP whitelist
- Enable Prometheus endpoint for monitoring
- Always use HTTPS

1 Answer