Spring Boot Actuator Sanitizing Starter

Introduction

The Spring Boot Actuator Sanitizing starter provides functionality to sanitize sensitive information from actuator endpoints such as /actuator/env and /actuator/configprops. It implements the SanitizingFunction interface (see the SanitizingFunction to customize how data is cleaned before being exposed through actuator endpoints.

Features

This starter supports Spring Boot 3.5+ and requires Java 17 or later.

The sanitizer provides flexible configuration options for masking sensitive data:

  • Exact key matching - specify exact property names to sanitize

  • Key pattern matching - use regular expressions to match property keys

  • Value pattern matching - sanitize based on value content patterns

Configuration

To use the sanitizer, add the following dependency to your pom.xml:

<dependency>
    <groupId>org.alexmond</groupId>
    <artifactId>spring-boot-actuator-sanitizer-starter</artifactId>
    <version>{page-component-version}</version>
</dependency>

Sample sanitizer configuration

management:
  endpoint:
    sanitizing:
      enabled: true
      sanitize-values: true
      mask-value: "***HIDDEN***"
      keys:
        - password
        - secret
        - token
        - key
        - credential
        - private
        - apikey
        - auth
      key-patterns:
        - ".*password.*"
        - ".*secret.*"
        - ".*token.*"
        - ".*key.*"
        - ".*credential.*"
        - ".*auth.*"

Configuration Properties

Below you can find a list of configuration properties.

Table 1. Configuration Properties
Name Default Value Description

management.endpoint.sanitizing.enabled

true

Whether to enable custom sanitization (if false, uses Spring Boot defaults).

management.endpoint.sanitizing.key-patterns

[".password.", ".secret.", ".token.", ".key.", ".credential."]

List of regex patterns to match property keys for sanitization.

management.endpoint.sanitizing.keys

["password", "secret", "token", "key", "credential", "private"]

List of exact property keys to sanitize (case-insensitive).

management.endpoint.sanitizing.mask-value

****

The masked value to show instead of the actual value.

management.endpoint.sanitizing.sanitize-values

true

Whether to sanitize values.

management.endpoint.sanitizing.value-patterns

["^[A-Za-z0-9+/=]{20,}$", "^[A-Fa-f0-9]{32,}$", "^Bearer .", "^Basic ."]

List of regex patterns to match values for sanitization. Includes patterns for Base64-encoded strings (20+ chars), hex-encoded hashes/keys (32+ chars), and common Authorization headers (Bearer, Basic).