15.1.2 Enabling and disabling Actuator endpoints

You may have noticed that only the /health endpoint is enabled by default. Most Actuator endpoints carry sensitive information and should be secured. You can use Spring Security to lock down Actuator, but because Actuator isn’t secured on its own, most of the endpoints are disabled by default, requiring you to opt in for the endpoints you wish to expose.

Two configuration properties, management.endpoints.web.exposure.include and management.endpoints.web.exposure.exclude, can be used to control which endpoints are exposed. Use management.endpoints.web.exposure.include to specify which endpoints you want to expose. For example, if you wish to expose only the /health, /info, /beans, and /conditions endpoints, you can specify that with the following configuration:

management:
  endpoints:
    web:
      exposure:
        include: health,info,beans,conditions

The management.endpoints.web.exposure.include property also accepts an asterisk (*) as a wildcard to indicate that all Actuator endpoints should be exposed, as shown here:

management:
  endpoints:
    web:
      exposure:
        include: '*'

If you want to expose all but a few endpoints, it’s typically easier to include them all with a wildcard and then explicitly exclude a few. For example, to expose all Actuator endpoints except for /threaddump and /heapdump, you could set both the management.endpoints.web.exposure.include and management.endpoints.web.exposure.exclude properties like this:

management:
  endpoints:
    web:
      exposure:
        include: '*'
        exclude: threaddump,heapdump

Should you decide to expose more than /health and /info, it’s probably a good idea to configure Spring Security to restrict access to the other endpoints. We’ll look at how to secure Actuator endpoints in section 15.4. For now, though, let’s look at how you can consume the HTTP endpoints exposed by Actuator.