If you are developing a Spring MVC application, Spring Boot Actuator will auto-configure
all enabled endpoints to be exposed over HTTP. The default convention is to use the
id of the endpoint as the URL path. For example,
health is exposed as
If you add ‘Spring Security’ to your project, all sensitive endpoints exposed over HTTP
will be protected. By default ‘basic’ authentication will be used with the username
user and a generated password (which is printed on the console when the application
Generated passwords are logged as the application starts. Search for ‘Using default security password’.
You can use Spring properties to change the username and password and to change the
security role required to access the endpoints. For example, you might set the following
security.user.name=admin security.user.password=secret management.security.role=SUPERUSER
If you don’t use Spring Security and your HTTP endpoints are exposed publicly,
you should carefully consider which endpoints you enable. See
Section 40.1, “Customizing endpoints” for details of how you can set
Sometimes it is useful to group all management endpoints under a single path. For example,
your application might already use
/info for another purpose. You can use the
management.contextPath property to set a prefix for your management endpoint:
application.properties example above will change the endpoint from
Exposing management endpoints using the default HTTP port is a sensible choice for cloud based deployments. If, however, your application runs inside your own data center you may prefer to expose endpoints using a different HTTP port.
management.port property can be used to change the HTTP port.
Since your management port is often protected by a firewall, and not exposed to the public you might not need security on the management endpoints, even if your main application is secure. In that case you will have Spring Security on the classpath, and you can disable management security like this:
(If you don’t have Spring Security on the classpath then there is no need to explicitly disable the management security in this way, and it might even break the application.)
You can customize the address that the management endpoints are available on by
management.address property. This can be useful if you want to
listen only on an internal or ops-facing network, or to only listen for connections from
You can only listen on a different address if the port is different to the main server port.
Here is an example
application.properties that will not allow remote management
If you don’t want to expose endpoints over HTTP you can set the management port to
The information exposed by the health endpoint varies depending on whether or not it’s
accessed anonymously. By default, when accessed anonymously, any details about the
server’s health are hidden and the endpoint will simply indicate whether or not the server
is up or down. Furthermore, when accessed anonymously, the response is cached for a
configurable period to prevent the endpoint being used in a denial of service attack.
endpoints.health.time-to-live property is used to configure the caching period in
milliseconds. It defaults to 1000, i.e. one second.
The above-described restrictions can be disabled, thereby allowing anonymous users full
access to the health endpoint. To do so, set