Actuator endpoint nhạy cảm (/env, /heapdump, /loggers) phải được bảo vệ — không public.
Cách 1 — Spring Security (recommended):
@Bean
SecurityFilterChain chain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(a -> a
.requestMatchers("/actuator/health", "/actuator/info").permitAll()
.requestMatchers("/actuator/**").hasRole("ADMIN") // chỉ admin
.anyRequest().authenticated()
)
.build();
}Cách 2 — Port riêng (simple, không cần auth logic):
management:
server.port: 8081 # expose Actuator trên port riêng
server.address: 127.0.0.1 # chỉ từ localhost (K8s internal)K8s probe vẫn gọi được từ trong cluster, nhưng public internet không tiếp cận port 8081.
Cách 3 — Chỉ expose endpoint cần thiết:
management:
endpoints:
web.exposure.include: health, info, prometheus
web.exposure.exclude: env, heapdump, shutdown
endpoint:
health.show-details: when-authorized
shutdown.enabled: false # tắt endpoint shutdown!/actuator/shutdown phải luôn tắt hoặc yêu cầu auth — ai cũng gọi được → tắt app.
Sensitive Actuator endpoints (/env, /heapdump, /loggers) must be secured — never public.
Option 1 — Spring Security (recommended):
@Bean
SecurityFilterChain chain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(a -> a
.requestMatchers("/actuator/health", "/actuator/info").permitAll()
.requestMatchers("/actuator/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.build();
}Option 2 — Separate port (simple, no auth logic needed):
management:
server.port: 8081
server.address: 127.0.0.1 # localhost only (K8s internal)K8s probes still reach it from inside the cluster, but the public internet cannot reach port 8081.
Option 3 — Only expose needed endpoints:
management:
endpoints:
web.exposure.include: health, info, prometheus
web.exposure.exclude: env, heapdump, shutdown
endpoint:
health.show-details: when-authorized
shutdown.enabled: false # always disable!/actuator/shutdown must always be disabled or require auth — anyone who calls it shuts down the app.