Disable spring boot actuator endpoints java config
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Disabling Spring Boot Actuator endpoints is usually a configuration problem, not a security-filter problem. The most important distinction is between an endpoint being disabled and an endpoint merely being inaccessible. If you truly want an actuator endpoint turned off, the cleanest solution is to set actuator properties before the application context starts, even when you choose to do that from Java instead of application.yml.
Disable Versus Secure
An endpoint can be in one of several states:
- enabled and exposed
- enabled but not exposed on the web
- enabled but protected by security
- disabled entirely
These are not equivalent. If your goal is to remove the endpoint bean or prevent actuator from wiring it up, that is different from adding Spring Security rules that return 403.
Property-Based Control Is the Canonical Mechanism
Spring Boot actuator endpoint enablement is driven by configuration properties. Even when people ask for "Java config," the practical implementation is often setting those properties programmatically.
For example, to disable env and beans while still exposing health and info:
This is Java-based configuration, but it still uses the official actuator configuration model.
Disabling All Endpoints Except a Few
Sometimes the safest approach is to disable broad exposure first and then explicitly allow only what you need.
This pattern is easier to audit because the default posture is restrictive.
Exposure Is a Separate Layer
Even an enabled endpoint is not automatically exposed over HTTP. Web exposure is controlled separately.
That setting prevents those endpoints from being exposed on the web, but it does not necessarily disable them internally. If you need them completely off, use the endpoint-specific enabled properties too.
Do Not Use Security Rules as a Substitute for Disabling
A common mistake is writing security configuration that blocks /actuator/** and then assuming the endpoints are disabled. They are not. They still exist; they are just protected.
That may be acceptable from an access-control perspective, but it is a different operational choice. If you want fewer beans, fewer exposed management surfaces, or clearer application behavior, disable the endpoint directly.
Environment-Specific Java Configuration
If you still want the settings to vary by environment, Java config can read profiles or environment variables before populating default properties.
This is useful when configuration is generated dynamically, though plain externalized configuration is often simpler.
Prefer Simplicity When Possible
If there is no strong reason to do this in Java, using application.yml is usually cleaner and easier to maintain. The important point is not whether the configuration lives in Java or YAML. It is that endpoint enablement should be expressed with actuator properties rather than improvised filtering logic.
Common Pitfalls
- Confusing disabled endpoints with secured endpoints.
- Excluding an endpoint from web exposure and assuming it is fully disabled.
- Trying to control actuator beans with late lifecycle hooks after the context has already started.
- Writing custom security rules when actuator properties would solve the problem directly.
- Forgetting that
management.endpoints.enabled-by-default=falsechanges the starting point for all endpoints.
Summary
- Disabling actuator endpoints is primarily a configuration concern.
- Java config can disable endpoints by setting actuator properties before startup.
- '
enabledandweb exposureare related but different controls.' - Security rules do not actually disable an endpoint.
- If you want a restrictive setup, disable endpoints by default and enable only the few you need.

