Spring Boot Actuator hides property values in env endpoint

By default the /env endpoint will hide the value of any property with a key that, ignoring case, ends with password, secret, or key. You can customize this using the endpoints.env.keys-to-sanitize property. The value of this property should be a comma-separated list of suffixes or regexes to match against property names. For example, if you don't care about keys ending in key you could set it to:

endpoints.env.keys-to-sanitize=password,secret

This is what the documentation says:

endpoints.env.keys-to-sanitize=password,secret,key,token,.credentials.,vcap_services

Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.

You can do it as @Andy Wilkinson mention. But you will see "endpoints.env.keys-to-sanitize" property with value "password,secret" in the applicationConfig section of /env endpoint.

To avoid this you can set the property using code as well:

public class MyApp {
    @Autowired
    private EnvironmentEndpoint envEndPnt;

    @PostConstruct
    public void initApplication() {
         envEndPnt.setKeysToSanitize("password","secret");
    } 
}

So once all the initializations are done and the initApplication is called you will have the EnvironmentEndPoint to which you set the property manually.

Spring Boot Actuator hides property values in env endpoint

Tags:

Configuration

Spring Boot

Related

Recent Posts