Spring Actuators are endpoints in Spring Boot applications that expose operational information. When improperly secured, they can leak sensitive data, allow configuration changes, or enable remote code execution.
/actuator/health # Application health status
/actuator/info # Application information
/actuator/env # Environment variables (SENSITIVE!)
/actuator/configprops # Configuration properties
/actuator/mappings # URL mappings
/actuator/beans # All Spring beans
/actuator/heapdump # Memory dump (CRITICAL!)
/actuator/threaddump # Thread dump
/actuator/loggers # Logger configuration
/actuator/shutdown # Shutdown application (if enabled)# /actuator/env can expose:
{
"propertySources": [{
"properties": {
"spring.datasource.password": {"value": "db_password"},
"aws.secretKey": {"value": "AKIAIOSFODNN7..."}
}
}]
}
# /actuator/heapdump contains:
# - Database credentials
# - Session tokens
# - API keys in memory# application.properties
management.endpoints.web.exposure.include=health,info
management.endpoint.env.enabled=false
management.endpoint.heapdump.enabled=false
# Require authentication
management.endpoints.web.base-path=/management
# + Spring Security configuration