47.7 HTTP health endpoint access restrictions
The information exposed by the health endpoint varies depending on whether or not it’s accessed anonymously, and whether or not the enclosing application is secure. By default, when accessed anonymously in a secure application, any details about the server’s health are hidden and the endpoint will simply indicate whether or not the server is up or down. Furthermore the response is cached for a configurable period to prevent the endpoint being used in a denial of service attack. The endpoints.health.time-to-live property is used to configure the caching period in milliseconds. It defaults to 1000, i.e. one second.
The above-described restrictions can be enhanced, thereby allowing only authenticated users full access to the health endpoint in a secure application. To do so, set endpoints.health.sensitive to true. Here’s a summary of behavior (with default sensitive flag value “false” indicated in bold):
management.security.enabled |
endpoints.health.sensitive |
Unauthenticated | Authenticated |
|---|---|---|---|
| false | false | Full content | Full content |
| false | true | Status only | Full content |
| true | false | Status only | Full content |
| true | true | No content | Full content |