Issue
After running the Spring Boot Application, I can access a file on the server using the below link:
http://localhost:8080/myweb/env.json
This file not contains only the server-related data but also the application-related data. Application-related data has all the properties defined in the application.properties file. This is a security vulnerability.
{
"profiles": [],
"server.ports": {
"local.server.port": 8080
},
"servletContextInitParams": {},
"systemProperties": {},
"systemEnvironment": {},
"applicationConfig: [classpath:/application.properties]": {}
}
How this file is getting generated and how can we restrict it from accessing publically?
Solution
This is from Spring Boot Actuator
management.endpoint.env.enabled=false
will disable this endpoint
if it does not work try
management.endpoints.web.exposure.exclude=env
or you can disable all of them with this config
management.endpoints.enabled-by-default=false
you can read more about it here: https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html
Answered By - Andreas Radauer