Locking down Actuator endpoints isn't enough. After the incident, I rebuilt the authorization model from scratch: explicit SecurityFilterChain, separate health groups, roles for /metrics and /env, and real validation with curl.…
After publishing my Jakarta EE vs Spring Boot analysis, I audited Actuator's defaults on a backend I own and found sensitive endpoints wide open — ones I never consciously configured. Here's the hardening checklist I built afterward.
