What is Spring Boot Actuator, and what does it expose out of the box?
Quick Answer
Spring Boot Actuator adds a set of production-ready HTTP (and JMX) endpoints for monitoring and managing a running application, without any custom code needed — health status, application info, metrics, environment properties, active beans, HTTP request mappings, and more. Only a small, safe subset (/actuator/health and /actuator/info) is exposed over HTTP by default; broader exposure and access control are deliberately opt-in, since many Actuator endpoints reveal sensitive internal details.
Detailed Answer
Adding spring-boot-starter-actuator to a project brings in a set of built-in HTTP (and JMX) endpoints exposing operational insight into a running application — no custom monitoring code required:
Common built-in endpoints (accessible under /actuator/* by default):
/actuator/health— overall application health status (UP/DOWN), aggregating individual health indicators (database connectivity, disk space, message broker connectivity, and any custom indicators you register)./actuator/info— arbitrary static or build-time application metadata (version, git commit, build time) you configure to be exposed./actuator/metrics— a browsable list of collected metrics (JVM memory, HTTP request counts/latencies, custom application metrics via Micrometer)./actuator/env— the application's currently resolvedEnvironmentproperties (configuration values, profiles) — sensitive, since it can reveal connection strings or other configuration detail./actuator/beans— every bean currently registered in theApplicationContext./actuator/mappings— every registered@RequestMappingroute in the application./actuator/threaddump//actuator/heapdump— a live thread dump / full heap dump — very sensitive, potentially exposing in-memory application data./actuator/loggers— view and even dynamically change logging levels for specific packages at runtime, without a restart.
Default exposure is deliberately conservative: out of the box, only /actuator/health and /actuator/info are exposed over HTTP — everything else must be explicitly opted into:
management.endpoints.web.exposure.include=health,info,metrics,prometheus
This default-off posture exists specifically because many Actuator endpoints reveal genuinely sensitive internal detail (environment variables, full heap contents, every registered bean) — broadening exposure should always be a deliberate decision, paired with appropriate access restriction (see the Actuator-security question), not something enabled wholesale "just in case it's useful."
Actuator is also what integrates naturally with health-check-based orchestration (Kubernetes liveness/readiness probes) and metrics-scraping systems (Prometheus), covered in the following questions.