Spring Boot Actuator hides property values in env endpoint

By default the /env endpoint will hide the value of any property with a key that, ignoring case, ends with password, secret, or key. You can customize this using the endpoints.env.keys-to-sanitize property. The value of this property should be a comma-separated list of suffixes or regexes to match against property names. For example, if you don't care about keys ending in key you could set it to:

endpoints.env.keys-to-sanitize=password,secret

This is what the documentation says:

endpoints.env.keys-to-sanitize=password,secret,key,token,.credentials.,vcap_services

Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.


You can do it as @Andy Wilkinson mention. But you will see "endpoints.env.keys-to-sanitize" property with value "password,secret" in the applicationConfig section of /env endpoint.

To avoid this you can set the property using code as well:

public class MyApp {
    @Autowired
    private EnvironmentEndpoint envEndPnt;

    @PostConstruct
    public void initApplication() {
         envEndPnt.setKeysToSanitize("password","secret");
    } 
}

So once all the initializations are done and the initApplication is called you will have the EnvironmentEndPoint to which you set the property manually.