If you want runtime metrics and app info without turning your production app into a public status billboard then Spring Boot Actuator is your friend and your mild responsibility. This short tutorial walks you through adding Actuator support exposing the endpoints you need enabling useful details and locking down access so your metrics do not become internet trivia.

What you get with Actuator

Actuator gives you built in endpoints for health checks metrics info and other operational data. Think of it as a small command center for your app that developers and ops can use to troubleshoot and monitor. You will learn how to:

• Add Actuator to your project
• Expose specific endpoints via configuration
• Enable endpoint features such as health details
• Secure endpoints for production
• Test that everything actually works

Step 1 Add the Actuator dependency

Most projects just need the official starter. If you use Maven add the dependency under the dependencies element in pom.xml.

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

If you use Gradle add the starter dependency to your build script. This makes the actuator module available with minimal fuss.

Step 2 Expose the endpoints you actually need

By default Actuator does not expose everything over HTTP which is good because less noise means less attack surface. Configure the web exposure in application.properties or application.yml to include only the endpoints you want. Example properties snippet for common needs.

# application.properties
management.endpoints.web.exposure.include=health,info,metrics
management.endpoints.web.base-path=/actuator

Only include endpoints you use in production. Putting wildcard exposure in production is a fast track to regret.

Step 3 Enable endpoint features when needed

Some endpoints provide less data by default for safety. If you need health details for debugging set the property to show them. Keep this cautious in production.

# show health details for debugging
management.endpoint.health.show-details=always

Other endpoints may need additional configuration depending on the information they surface. Enable what you need and no more.

Step 4 Secure the actuator endpoints

Actuator endpoints are useful to ops and also attractive to unauthorized snoops. Protect them. Two common approaches work well together:

• Enable Spring Security and require a role for sensitive endpoints such as shutdown or env
• Run the management endpoints on a separate port so only internal systems can reach them

# run actuator on a separate port
management.server.port=8081

For role based security add checks in your security configuration or use HTTP basic or OAuth depending on your environment. Treat access control as mandatory and not optional decor.

Step 5 Test the exposed endpoints

Confirm endpoints are responding. Use a browser curl or your favorite HTTP client to hit the actuator base path and a few endpoints. Example curl checks.

# check health
curl -i http://localhost:8080/actuator/health

# check metrics
curl -i http://localhost:8080/actuator/metrics

# check info
curl -i http://localhost:8080/actuator/info

If you moved the management port remember to target that port. If you protected endpoints with auth provide credentials in your client or test tool.

Quick recap and sensible defaults

• Add the Actuator starter
• Expose only the endpoints you need using management.endpoints.web.exposure.include
• Enable health details only when necessary and with care
• Secure endpoints with Spring Security and consider a dedicated management port
• Test everything with curl or an HTTP client before you trust it in production

Pro tip Keep the exposure tight prefer role based access and avoid turning on wildcard exposure unless you are building a local sandbox where nobody will notice your overconfidence.