From 5692b83a6f428b8975934a74234ec7601403c2c8 Mon Sep 17 00:00:00 2001
From: Stephane Nicoll <snicoll@pivotal.io>
Date: Wed, 30 May 2018 15:21:58 +0200
Subject: [PATCH] Add note on sanitizing values

Closes gh-13138
---
 spring-boot-docs/src/main/asciidoc/howto.adoc | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/spring-boot-docs/src/main/asciidoc/howto.adoc b/spring-boot-docs/src/main/asciidoc/howto.adoc
index 9d0a6e40362..e0f983cf05e 100644
--- a/spring-boot-docs/src/main/asciidoc/howto.adoc
+++ b/spring-boot-docs/src/main/asciidoc/howto.adoc
@@ -2403,6 +2403,22 @@ how to register handlers in the servlet container.
 
 
 
+[[howto-sanitize-sensible-values]]
+=== Sanitize sensible values
+Information returned by the `env` and `configprops` endpoints can be somewhat sensitive
+so keys matching a certain pattern are sanitized by default (i.e. their values are
+replaced by `******`).
+
+Spring Boot uses sensible defaults for such keys: for instance, any key ending with the
+word "password", "secret", "key" or "token" is sanitized. It is also possible to use a
+regular expression instead, such as `*credentials.*` to sanitize any key that holds the
+word `credentials` as part of the key.
+
+The patterns to use can be customized using the `endpoints.env.keys-to-sanitize` and
+`endpoints.configprops.keys-to-sanitize` respectively.
+
+
+
 [[howto-use-actuator-with-jersey]]
 === Actuator and Jersey
 Actuator HTTP endpoints are only available for Spring MVC-based applications. If you want