[MOSIP-44770] Actuator endpoints are publicly accessible with broad exposure.

[Md-Humair-KK]

Summary by CodeRabbit

• Chores
  • Restricted access to monitoring and diagnostic endpoints, limiting public exposure to essential health checks and metrics only.
  • Enhanced security by preventing unauthorized access to sensitive system configuration and health component details.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 44f44193-bb4e-4752-a159-6d6c4a1c0872

📥 Commits

Reviewing files that changed from the base of the PR and between 26c5585 and dc4d806.

📒 Files selected for processing (2)

• esignet-service/src/main/resources/application-default.properties
• esignet-service/src/main/resources/bootstrap.properties

---

Walkthrough

The PR hardens Spring Security and Actuator endpoint configurations by replacing broad wildcard endpoint exposure with specific endpoint whitelists and eliminating unnecessary information disclosure in both application-default.properties and bootstrap.properties.

Changes

Actuator Endpoint Security Hardening

Layer / File(s)	Summary
Spring Security CSRF and Auth URL allowlisting esignet-service/src/main/resources/application-default.properties	mosip.esignet.security.ignore-csrf-urls and mosip.esignet.security.ignore-auth-urls are updated to stop broadly ignoring all /actuator/** endpoints and instead explicitly allowlist only /actuator/health/**, /actuator/info, and /actuator/prometheus. Security comments are added to emphasize that /actuator/** must not be whitelisted generally.
Actuator endpoint exposure and information disclosure hardening esignet-service/src/main/resources/bootstrap.properties	Management endpoint exposure is restricted from wildcard (*) to an explicit allowlist of health,info,prometheus. Sensitive endpoints are explicitly excluded. Environment and config property show-values are hardened from ALWAYS to NEVER, and health endpoint details/components visibility is suppressed for all callers via show-details=never and show-components=never.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Through firewall paths we hop with care,
No broad expose for /actuator/ to share,
Health and info, Prometheus pass through,
Config secrets hidden from view—
Security strengthened, the rabbit's crew! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security fix: restricting overly broad actuator endpoint exposure by whitelisting only necessary endpoints.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}