Description
After adopting the Spring Boot Admin (SBA) some colleagues astutely observed that we were "leaking" some secrets as SBA provides convenient access to the configprops and env actuator endpoints. Fortunately we can change the keys which values would get sanitized with the following two properties: management.endpoint.configprops.keys-to-sanitize and management.endpoint.env.keys-to-sanitize. However, setting these overwrites all defaults which we would like to keep (since they make a lot of sense). Our current solution is to copy all defaults and then add our own (we do this in a central place that is applied to all our applications). Consequently, we now need to make ensure that this list is kept up-to-date while also limiting configurability of our internal downstream applications. Ideally, we could keep the default configuration but add to it.
So if possible I would like to suggest a additional-keys-to-sanitize property to be introduced which would allow one to set additional keys to sanitize while keeping the defaults.
Additionally, it would be great if the Sanitizer could also apply the same special handling to url keys that it does for the keys of Sanitizer#URI_USERINFO_KEYS, as these also can contain sensitive credentials, such that we do not have to filter the entire value.
We observed this behavior on Spring Boot 2.3.8, but looking at the code of 2.4.x this behavior is still there.