For the latest stable version, please use Actuator extensions 4.1.0.1!

Spring Boot Actuator Sanitizing Starter

Introduction

The Spring Boot Actuator Sanitizing starter provides functionality to sanitize sensitive information from actuator endpoints such as /actuator/env and /actuator/configprops. It implements the SanitizingFunction interface (see the SanitizingFunction to customize how data is cleaned before being exposed through actuator endpoints.

Features

This starter supports Spring Boot 4.0+ (Spring Boot 3.5.x is maintained on the 3.5 branch) and requires Java 17 or later.

The sanitizer provides flexible configuration options for masking sensitive data:

  • Exact key matching - specify exact property names to sanitize

  • Key pattern matching - use regular expressions to match property keys

  • Value pattern matching - sanitize based on value content patterns

Configuration

To use the sanitizer, add the following dependency to your pom.xml:

<dependency>
    <groupId>org.alexmond</groupId>
    <artifactId>spring-boot-actuator-sanitizer-starter</artifactId>
    <version>{page-component-version}</version>
</dependency>

Sample sanitizer configuration

management:
  endpoint:
    sanitizing:
      enabled: true
      sanitize-values: true
      mask-value: "***HIDDEN***"
      keys:
        - password
        - secret
        - token
        - key
        - credential
        - private
        - apikey
        - auth
      key-patterns:
        - ".*password.*"
        - ".*secret.*"
        - ".*token.*"
        - ".*key.*"
        - ".*credential.*"
        - ".*auth.*"

Configuration Properties

Below you can find a list of configuration properties.

Table 1. Configuration Properties
Name Default Value Description

management.endpoint.sanitizing.enabled

true

Whether to enable custom sanitization (if false, uses Spring Boot defaults).

management.endpoint.sanitizing.key-patterns

[".password.", ".secret.", ".token.", ".key.", ".credential."]

List of regex patterns to match property keys for sanitization.

management.endpoint.sanitizing.additional-key-patterns

[]

Additional regex patterns to match property keys for sanitization. These patterns are combined with the default patterns list.

management.endpoint.sanitizing.keys

["password", "secret", "token", "key", "credential", "private"]

List of exact property keys to sanitize (case-insensitive).

management.endpoint.sanitizing.additional-keys

[]

Additional exact property keys to sanitize (case-insensitive). These keys are combined with the default keys list.

management.endpoint.sanitizing.mask-value

****

The masked value to show instead of the actual value.

management.endpoint.sanitizing.sanitize-values

true

Whether to sanitize values.

management.endpoint.sanitizing.value-patterns

["^[A-Za-z0-9+/=]{20,}$", "^[A-Fa-f0-9]{32,}$", "^Bearer .", "^Basic ."]

List of regex patterns to match values for sanitization. Includes patterns for Base64-encoded strings (20+ chars), hex-encoded hashes/keys (32+ chars), and common Authorization headers (Bearer, Basic).