Spring Boot Actuator hides property values in env endpoint
By default the /env
endpoint will hide the value of any property with a key that, ignoring case, ends with password
, secret
, or key
. You can customize this using the endpoints.env.keys-to-sanitize
property. The value of this property should be a comma-separated list of suffixes or regexes to match against property names. For example, if you don't care about keys ending in key
you could set it to:
endpoints.env.keys-to-sanitize=password,secret
This is what the documentation says:
endpoints.env.keys-to-sanitize=password,secret,key,token,.credentials.,vcap_services
Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.
You can do it as @Andy Wilkinson mention. But you will see "endpoints.env.keys-to-sanitize"
property with value "password,secret"
in the applicationConfig
section of /env
endpoint.
To avoid this you can set the property using code as well:
public class MyApp {
@Autowired
private EnvironmentEndpoint envEndPnt;
@PostConstruct
public void initApplication() {
envEndPnt.setKeysToSanitize("password","secret");
}
}
So once all the initializations are done and the initApplication
is called you will have the EnvironmentEndPoint
to which you set the property manually.