47.7 HTTP health endpoint access restrictions
The information exposed by the health endpoint varies depending on whether or not it’s accessed anonymously, and whether or not the enclosing application is secure. By default, when accessed anonymously in a secure application, any details about the server’s health are hidden and the endpoint will simply indicate whether or not the server is up or down. Furthermore the response is cached for a configurable period to prevent the endpoint being used in a denial of service attack. The endpoints.health.time-to-live
property is used to configure the caching period in milliseconds. It defaults to 1000, i.e. one second.
The above-described restrictions can be enhanced, thereby allowing only authenticated users full access to the health endpoint in a secure application. To do so, set endpoints.health.sensitive
to true
. Here’s a summary of behavior (with default sensitive
flag value “false” indicated in bold):
management.security.enabled |
endpoints.health.sensitive |
Unauthenticated | Authenticated |
---|---|---|---|
false | false | Full content | Full content |
false | true | Status only | Full content |
true | false | Status only | Full content |
true | true | No content | Full content |