Spring Boot’s 'convention over configuration' mantra is a goldmine for attackers. Default settings often expose sensitive Actuator endpoints, leak stack traces, and leave security headers at their weakest levels. Hardening your Spring Boot application requires moving away from 'star' patterns and explicitly defining your security posture to prevent information disclosure and RCE.

The Vulnerable Pattern

# application.yml - Total exposure
management:
  endpoints:
    web:
      exposure:
        include: "*"
  endpoint:
    env:
      enabled: true
    health:
      show-details: "always"
server:
error:
include-stacktrace: “always”

The Secure Implementation

The vulnerability stems from exposing the entire Actuator suite (`*`) to the public web, which leaks environment variables, heap dumps, and thread stacks. The fix implements a defense-in-depth strategy: 1. Minimize the attack surface by whitelisting only essential endpoints (health/info). 2. Implement Role-Based Access Control (RBAC) via Spring Security to ensure only admins can touch sensitive management paths. 3. Disable verbose error stack traces in production to prevent leaking the internal logic and library versions to end-users.

# application.yml - Restricted exposure
management:
  endpoints:
    web:
      exposure:
        include: "health,info"
  endpoint:
    health:
      show-details: "when_authorized"
Security Configuration
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers(“/actuator/health”, “/actuator/info”).permitAll()
.requestMatchers(“/actuator/**“).hasRole(“ADMIN”)
.anyRequest().authenticated()
)
.headers(headers -> headers.contentSecurityPolicy(csp -> csp.policyDirectives(“script-src ‘self’”)))
.httpBasic(Customizer.withDefaults());
return http.build();
}
}