Multiple sources describe how Spring Boot Actuator endpoints are controlled and why exposing everything by default can unintentionally increase risk. The articles note that a common tutorial pattern uses `management.endpoints.web.exposure.include: "*"`, which makes every enabled endpoint reachable over HTTP. They argue Actuator itself is not inherently unsafe; the issue is enabling endpoints without a clear policy for what should be exposed, to whom, and from where.

The sources emphasize points from the official Spring Boot Actuator documentation: by default, only `health` and `info` are exposed over HTTP (other endpoints are not automatically reachable). The documentation distinguishes “enabling” an endpoint (it exists in the application) from “exposing” it (it is reachable via HTTP or JMX). It also highlights that some endpoints may reveal sensitive data (for example, `env` and `configprops`) and that `shutdown` is enabled but not exposed by default due to its irreversible impact. The sources also state Spring Boot does not automatically add authentication to Actuator endpoints.

They recommend restricting operational endpoints to internal monitoring or operators, considering management port separation (e.g., `management.server.port`) and validating actual exposure via `/actuator` and startup logs, while noting security depends on network and proxy configuration.