mosip · Md-Humair-KK · May 13, 2026 · May 13, 2026
diff --git a/esignet-service/src/main/resources/application-default.properties b/esignet-service/src/main/resources/application-default.properties
@@ -108,13 +108,16 @@ mosip.esignet.security.auth.post-urls={'/client-mgmt/**' : {'SCOPE_add_oidc_clie
 mosip.esignet.security.auth.put-urls={'/client-mgmt/**' : { 'SCOPE_update_oidc_client'} }
 mosip.esignet.security.auth.get-urls={'/system-info/**' : { 'SCOPE_get_certificate'} }
 
-mosip.esignet.security.ignore-csrf-urls=/oidc/**,/oauth/**,/actuator/**,/favicon.ico,/error,\
+mosip.esignet.security.ignore-csrf-urls=/oidc/**,/oauth/**,/actuator/health,/actuator/health/**,/actuator/info,/actuator/prometheus,/favicon.ico,/error,\
   /swagger-ui/**,/v3/api-docs/**,/linked-authorization/link-transaction,/linked-authorization/authenticate,\
   /linked-authorization/consent,/binding/**,/client-mgmt/**,/system-info/**,/linked-authorization/v2/link-transaction,\
   /linked-authorization/v2/authenticate,/linked-authorization/v2/consent
 
+# SECURITY: Do NOT whitelist /actuator/** here. Only allow the specific safe endpoints (health, info, prometheus)
+# to be reachable without authentication. All other actuator endpoints must require auth (or be blocked at network level).
 mosip.esignet.security.ignore-auth-urls=/csrf/**,/authorization/**,/linked-authorization/**,/oidc/**,/oauth/**,\
-  /actuator/**,/favicon.ico,/error,/swagger-ui/**,/v3/api-docs/**,/binding/**
+  /actuator/health,/actuator/health/**,/actuator/info,/actuator/prometheus,\
+  /favicon.ico,/error,/swagger-ui/**,/v3/api-docs/**,/binding/**
 
 spring.security.oauth2.resourceserver.jwt.issuer-uri=${keycloak.external.url}/auth/realms/mosip
 spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${keycloak.external.url}/auth/realms/mosip/protocol/openid-connect/certs

diff --git a/esignet-service/src/main/resources/bootstrap.properties b/esignet-service/src/main/resources/bootstrap.properties
@@ -36,12 +36,19 @@ server.tomcat.accesslog.file-date-format=
 server.tomcat.basedir=.
 server.tomcat.accesslog.pattern={"@timestamp":"%{yyyy-MM-dd'T'HH:mm:ss.SSS'Z'}t","level":"ACCESS","level_value":70000,"traceId":"%{X-B3-TraceId}i","spanId":"%{X-B3-SpanId}i","statusCode":%s,"req.requestURI":"%U","bytesSent":%b,"timeTaken":%T,"appName":"${spring.application.name}","req.userAgent":"%{User-Agent}i","req.xForwardedFor":"%{X-Forwarded-For}i","req.referer":"%{Referer}i","req.method":"%m","req.remoteHost":"%a"}
 
-## Prometheus
+## Prometheus / Actuator
+# SECURITY: Restrict actuator exposure to only required endpoints. Do NOT use '*',
+# as that exposes sensitive endpoints such as /actuator/env, /actuator/beans, /actuator/configprops, /actuator/heapdump.
+management.endpoints.web.exposure.include=health,info,prometheus
+management.endpoints.web.exposure.exclude=env,beans,configprops,heapdump,threaddump,loggers,mappings,scheduledtasks,caches,conditions,httptrace,shutdown
 management.endpoint.metrics.access=read-only
-management.endpoints.web.exposure.include=*
 management.endpoint.prometheus.access=read-only
 management.prometheus.metrics.export.enabled=true
-management.endpoint.env.show-values=ALWAYS
+# SECURITY: Never reveal raw env / configprops values; hide health details from anonymous callers.
+management.endpoint.env.show-values=NEVER
+management.endpoint.configprops.show-values=NEVER
+management.endpoint.health.show-details=never
+management.endpoint.health.show-components=never
 
 # disable mapping unknown endpoints to static resources instead throw exception
 spring.web.resources.add-mappings=false