What is the significance of the management.endpoints.web.exposure.include property?

Table of Contents

• Introduction
  • What is the management.endpoints.web.exposure.include Property?
    • Example Configuration:
  • Configuring management.endpoints.web.exposure.include
    • 1. Expose Specific Endpoints
    • 2. Expose All Endpoints
    • 3. Exclude Specific Endpoints
  • Available Endpoints
  • Impact of Configuring management.endpoints.web.exposure.include
    • 1. Security
    • 2. Performance
    • 3. Visibility and Debugging
  • Combining with Other Properties
• Conclusion

Introduction

Spring Boot Actuator provides built-in endpoints that allow you to monitor and manage your application. These endpoints expose critical information about the application's health, metrics, environment, and more. However, for security and performance reasons, not all endpoints are exposed by default.

The management.endpoints.web.exposure.include property plays a crucial role in controlling which Actuator endpoints are made available for web access. By configuring this property, you can explicitly choose which endpoints to expose, allowing you to fine-tune the visibility of sensitive or unnecessary information based on your application's requirements.

This guide explains the significance of the management.endpoints.web.exposure.include property, how to configure it, and its impact on your Spring Boot application.

What is the management.endpoints.web.exposure.include Property?

In Spring Boot, the **management.endpoints.web.exposure.include** property is used to define which Actuator endpoints are exposed over HTTP. By default, only a subset of Actuator endpoints (such as health and info) are enabled and exposed to ensure security and minimize exposure to potentially sensitive data.

The management.endpoints.web.exposure.include property allows you to include specific endpoints, or all endpoints, to be available over HTTP. You can also exclude certain endpoints, which provides further flexibility.

Example Configuration:

In this example, only the health, metrics, and info endpoints are exposed, and others are not.

Configuring management.endpoints.web.exposure.include

The management.endpoints.web.exposure.include property can be set in your application.properties or application.yml configuration file. You can configure it in several ways to control which endpoints are exposed.

1. Expose Specific Endpoints

If you want to expose only specific Actuator endpoints, list them in a comma-separated list:

This configuration will expose only the health, metrics, and info endpoints, while hiding others (such as beans, env, or trace).

2. Expose All Endpoints

To expose all available Actuator endpoints, you can use the wildcard (*):

This will expose all Actuator endpoints, which include sensitive data like environment variables, beans, and heap dumps. While useful for debugging, this approach should be used cautiously in production environments to prevent exposure of sensitive information.

3. Exclude Specific Endpoints

You can also configure which endpoints to exclude by using the management.endpoints.web.exposure.exclude property:

This configuration exposes all endpoints except for env and beans, allowing you to restrict the visibility of potentially sensitive information.

Available Endpoints

Here are some of the common Actuator endpoints that you can expose and access using the management.endpoints.web.exposure.include property:

• **/actuator/health**: Displays the health status of the application, including any custom health checks defined in the application.
• **/actuator/metrics**: Exposes application performance metrics, such as memory usage, garbage collection statistics, and custom metrics.
• **/actuator/info**: Provides application-related information, such as build version, description, or custom metadata.
• **/actuator/env**: Displays the application's environment properties, including system properties, environment variables, and configuration properties.
• **/actuator/beans**: Lists all Spring beans in the application context.
• **/actuator/trace**: Shows a trace of HTTP requests that have been handled by the application.
• **/actuator/loggers**: Allows dynamic configuration of log levels for various packages or classes in the application.

Impact of Configuring management.endpoints.web.exposure.include

Configuring the management.endpoints.web.exposure.include property can have significant effects on the visibility and security of your application. Here's a summary of the impact:

1. Security

Actuator endpoints can expose sensitive data, including application properties, system environment variables, database configurations, and logging details. By limiting which endpoints are exposed using management.endpoints.web.exposure.include, you can significantly reduce the risk of exposing sensitive information to unauthorized users. For example:

This configuration exposes only essential health and metrics information and avoids disclosing more sensitive data such as application environment details or database beans.

2. Performance

Exposing a large number of endpoints can impact the performance of your application, particularly if these endpoints include resource-intensive operations, such as database queries or network calls. By only exposing the necessary endpoints, you can reduce unnecessary overhead and optimize the application's performance.

For example, disabling endpoints that provide detailed information about beans or trace logs can minimize resource usage:

3. Visibility and Debugging

While you might want to expose only essential endpoints in production, enabling additional endpoints in development or testing environments can be useful for debugging and monitoring. For instance, exposing the /actuator/beans or /actuator/env endpoints can provide valuable insight into the application's configuration and environment.

You can configure different sets of endpoints based on the active profile:

In this case, during development (application-dev.properties), more detailed information is exposed, whereas in production (application-prod.properties), only health and metrics are exposed for security reasons.

Combining with Other Properties

The management.endpoints.web.exposure.include property can also be combined with other related properties for more granular control:

1. Securing Actuator Endpoints:
   Secure access to the endpoints by configuring authentication and authorization (e.g., using Spring Security).

2. Customizing Health Endpoint:
   Customize the behavior of the health check endpoint by controlling what details are shown.

3. Exposing Metrics in External Monitoring Tools:
   Integrate with monitoring tools like Prometheus or Datadog by exposing metrics endpoints:

Conclusion

The management.endpoints.web.exposure.include property in Spring Boot Actuator allows you to control which Actuator endpoints are exposed over HTTP. It plays a critical role in managing the visibility of important application information and helps to ensure security and performance by limiting access to sensitive data. By carefully configuring which endpoints are available, you can monitor your application effectively while protecting sensitive resources.

Whether you are debugging, monitoring, or optimizing performance, configuring the management.endpoints.web.exposure.include property helps to customize the accessibility of Actuator endpoints for different environments.