Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
현재
/actuator/**경로에 대해ADMIN권한을 요구하도록 변경하여 민감한 엔드포인트(예:/actuator/env,/actuator/heapdump등)를 보호하는 것은 좋은 보안 조치입니다.다만, Prometheus 등 외부 모니터링 시스템이
/actuator/prometheus나/actuator/info와 같은 엔드포인트를 주기적으로 수집(Scraping)해야 하는 경우, 모니터링 시스템에 과도한 권한(ADMIN)을 부여해야 하거나 수집이 차단될 수 있습니다.권장 사항:
최소 권한 원칙(Principle of Least Privilege)을 준수하기 위해, 모니터링 전용 역할(예:
MONITORING)을 추가로 정의하고hasAnyRole을 사용하여 권한을 부여하는 것을 고려해 보세요.(참고:
/actuator/health는healthSecurityFilterChain에서 이미permitAll()로 설정되어 있으므로 이 변경의 영향을 받지 않습니다.)