47.1 Securing sensitive endpoints
If you add ‘Spring Security’ to your project, all sensitive endpoints exposed over HTTP will be protected. By default ‘basic’ authentication will be used with the username user and a generated password (which is printed on the console when the application starts).
![[Tip]](Spring Boot Reference Guide_files/tip.png) |
Tip |
|---|---|
| Generated passwords are logged as the application starts. Search for ‘Using default security password’. |
You can use Spring properties to change the username and password and to change the security role(s) required to access the endpoints. For example, you might set the following in your application.properties:
security.user.name=admin security.user.password=secret management.security.roles=SUPERUSER
|
Tip |
|---|---|
If you don’t use Spring Security and your HTTP endpoints are exposed publicly, you should carefully consider which endpoints you enable. See Section 46.1, “Customizing endpoints” for details of how you can set endpoints.enabled to false then “opt-in” only specific endpoints. |