I Exposed Our Database Credentials to the Internet for 6 Weeks

And nobody noticed. Until someone did.

I was the one who deployed it.

I wrote the config. I pushed the code. I ran the pipeline.

And for 6 weeks, our actuator endpoints were completely public.

Database credentials. AWS keys. JWT secrets.

All of it. Sitting there. Accessible to anyone who knew where to look.

I didn’t know. Nobody knew.

Until a teammate was doing a routine check and sent me a Slack message:

“Hey — are your actuator endpoints supposed to be exposed?”

My stomach dropped.

I opened the URL he sent.

/actuator/env

There it was. Everything.

How it happened

I had added this to application.properties:

management.endpoints.web.exposure.include=*

I copied it from a Stack Overflow answer during local debugging.

I forgot to remove it before deploying to production.

That’s it. No complex attack. No sophisticated vulnerability.

One line. Six weeks.

What happened next

We spent two days on incident response.

Full security audit across every service.

Credential rotation — database passwords, AWS keys, JWT secrets, everything.

We had to notify the team, document what was exposed, and figure out whether anyone had actually accessed it.

Someone had.

We found requests in the logs we couldn’t explain. From IPs we didn’t recognize. Hitting endpoints they had no reason to know about.

We never found out exactly what they took.

That’s the part that stays with you.

The part that hurt most

I knew about actuator security.

I had read about it. I knew include=* was dangerous in production.

I just didn’t have a system to catch it before deploying.

I was deploying on memory and habit.

That’s not a system. That’s luck.

And my luck ran out.

What I do now

After that incident, I built a checklist.

Not a mental checklist. A real one. With 47 specific checks across 7 categories — config, security, JVM, database, Docker, monitoring, and post-deploy verification.

One of those checks:

management.endpoints.web.exposure.include is NOT set to * in any environment except local.

If that box isn’t checked, we don’t deploy.

483 engineers use it before every deploy now.

It’s called the Spring Boot Production Checklist.

If you’re deploying Spring Boot to production without a checklist like this, you’re relying on memory.

Memory fails at 4PM on a Friday when you’re trying to ship before the weekend.

Spring Boot Production Checklist: 47 Checks Before Your Next Deploy

One prevented incident pays for it a thousand times over.

I Exposed Our Database Credentials to the Internet for 6 Weeks was originally published in Javarevisited on Medium, where people are continuing the conversation by highlighting and responding to this story.

This post first appeared on Read More

Related Posts