What is Spring Boot Actuator, and what does it expose out of the box?

7 minbeginneractuatormonitoringproduction-readiness

Quick Answer

Spring Boot Actuator adds a set of production-ready HTTP (and JMX) endpoints for monitoring and managing a running application, without any custom code needed — health status, application info, metrics, environment properties, active beans, HTTP request mappings, and more. Only a small, safe subset (/actuator/health and /actuator/info) is exposed over HTTP by default; broader exposure and access control are deliberately opt-in, since many Actuator endpoints reveal sensitive internal details.

Detailed Answer

Adding spring-boot-starter-actuator to a project brings in a set of built-in HTTP (and JMX) endpoints exposing operational insight into a running application — no custom monitoring code required:

Common built-in endpoints (accessible under /actuator/* by default):

  • /actuator/health — overall application health status (UP/DOWN), aggregating individual health indicators (database connectivity, disk space, message broker connectivity, and any custom indicators you register).
  • /actuator/info — arbitrary static or build-time application metadata (version, git commit, build time) you configure to be exposed.
  • /actuator/metrics — a browsable list of collected metrics (JVM memory, HTTP request counts/latencies, custom application metrics via Micrometer).
  • /actuator/env — the application's currently resolved Environment properties (configuration values, profiles) — sensitive, since it can reveal connection strings or other configuration detail.
  • /actuator/beans — every bean currently registered in the ApplicationContext.
  • /actuator/mappings — every registered @RequestMapping route in the application.
  • /actuator/threaddump//actuator/heapdump — a live thread dump / full heap dump — very sensitive, potentially exposing in-memory application data.
  • /actuator/loggers — view and even dynamically change logging levels for specific packages at runtime, without a restart.

Default exposure is deliberately conservative: out of the box, only /actuator/health and /actuator/info are exposed over HTTP — everything else must be explicitly opted into:

management.endpoints.web.exposure.include=health,info,metrics,prometheus

This default-off posture exists specifically because many Actuator endpoints reveal genuinely sensitive internal detail (environment variables, full heap contents, every registered bean) — broadening exposure should always be a deliberate decision, paired with appropriate access restriction (see the Actuator-security question), not something enabled wholesale "just in case it's useful."

Actuator is also what integrates naturally with health-check-based orchestration (Kubernetes liveness/readiness probes) and metrics-scraping systems (Prometheus), covered in the following questions.