Spring Boot Actuator hides property values in env endpoint

Question

My problem is, that my Spring-Boot Actuator endpoint for env actually replaces some properties with starts like this:

"applicationConfig: [classpath:/config/application.properties]" : {
    "rest.baseurl" : "http://85.214.247.80:9912",
    "projectKey" : "******",

And I have no clue why. I did not have any hint in my application thats he should hide it. I guess there is some heuristic to hide it based on the property name.

any Ideas how to avoid the masking?

Answer 1

By default the /env endpoint will hide the value of any property with a key that, ignoring case, ends with password, secret, or key. You can customize this using the endpoints.env.keys-to-sanitize property. The value of this property should be a comma-separated list of suffixes or regexes to match against property names. For example, if you don't care about keys ending in key you could set it to:

endpoints.env.keys-to-sanitize=password,secret

This is what the documentation says:

endpoints.env.keys-to-sanitize=password,secret,key,token,.credentials.,vcap_services

Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.

Answer 2

You can do it as @Andy Wilkinson mention. But you will see "endpoints.env.keys-to-sanitize" property with value "password,secret" in the applicationConfig section of /env endpoint.

To avoid this you can set the property using code as well:

public class MyApp {
    @Autowired
    private EnvironmentEndpoint envEndPnt;

    @PostConstruct
    public void initApplication() {
         envEndPnt.setKeysToSanitize("password","secret");
    } 
}

So once all the initializations are done and the initApplication is called you will have the EnvironmentEndPoint to which you set the property manually.