Spring Boot Actuator endpoints are enabled by default, but they’re not automatically exposed externally in production, which is often a surprise for new users.
Let’s see some Actuator endpoints in action. Imagine you have a simple Spring Boot application. After adding the spring-boot-starter-actuator dependency, you can access endpoints like /actuator/health and /actuator/info by default.
Here’s a snippet of what a typical application.properties might look like for Actuator:
management.endpoints.web.exposure.include=*
management.endpoint.health.show-details=when_authorized
server.port=8080
This configuration tells Spring Boot to expose all web-enabled Actuator endpoints (management.endpoints.web.exposure.include=*). The health endpoint is configured to show details only when authorized, which is a good practice for production. The server.port=8080 is just a standard server configuration.
The primary problem Spring Boot Actuator solves is providing visibility into your running application without requiring custom code. Before Actuator, you’d often build bespoke endpoints or logging mechanisms to check application status, memory usage, or configuration details. Actuator offers a standardized, built-in way to achieve this.
Internally, Actuator works by registering a set of beans that represent different management functions. These beans are then exposed as HTTP endpoints (or JMX endpoints, if configured). When you request /actuator/health, for example, the HealthEndpoint bean is invoked, which in turn queries various HealthIndicator beans (like DataSourceHealthIndicator, DiskSpaceHealthIndicator, etc.) to gather the overall health status.
The exact levers you control are primarily through application.properties or application.yml. You can:
- Include/Exclude Endpoints:
management.endpoints.web.exposure.include=health,info,metricsormanagement.endpoints.web.exposure.exclude=env. This is crucial for security, limiting what sensitive information is exposed. - Change the Base Path:
management.endpoints.web.base-path=/manage. This moves all Actuator endpoints under a different URL prefix, useful for avoiding conflicts or for a more organized API. - Configure Specific Endpoint Behavior:
management.endpoint.metrics.enabled=falseto disable specific endpoints, ormanagement.endpoint.health.show-details=alwaysto always show health details (use with caution in production). - Secure Endpoints: Integrate with Spring Security to protect sensitive endpoints like
envorbeans.
Many users overlook the fact that the management.endpoints.web.exposure.include=* setting, while convenient, exposes all web endpoints, including potentially sensitive ones like env (which shows your application’s environment properties) and configprops (which reveals your configuration properties). In a production environment, it’s generally best practice to explicitly list the endpoints you want to expose, such as health, info, metrics, and loggers, and disable or secure others.
The next concept you’ll likely encounter is securing these production-ready endpoints, often involving Spring Security.