Refined actuator endpoint security rules:

- Allowed public access to `/actuator/health`.
- Enforced authentication for other `/actuator/**` endpoints in production.
- Allowed all `/actuator/**` endpoints in development.

src/main/java/de/avatic/lcc/config/SecurityConfig.java

@@ -70,6 +70,8 @@ public class SecurityConfig {
                 .cors(cors -> cors.configurationSource(prodCorsConfigurationSource())) // Production CORS
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+                        .requestMatchers("/actuator/health").permitAll()
+                        .requestMatchers("/actuator/**").authenticated()
                         .requestMatchers("/oauth2/token").permitAll()
                         .requestMatchers("/api/**").authenticated()
                         .requestMatchers("/api/dev/**").denyAll()
@@ -174,6 +176,8 @@ public class SecurityConfig {
                 .cors(cors -> cors.configurationSource(devCorsConfigurationSource())) // Dev CORS
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+                        .requestMatchers("/actuator/health").permitAll()
+                        .requestMatchers("/actuator/**").permitAll()
                         .requestMatchers("/oauth2/token").permitAll()
                         .requestMatchers("/api/**").permitAll()
                         .requestMatchers("/api/dev/**").permitAll()

src/main/resources/application.properties

@@ -14,7 +14,7 @@ spring.cloud.azure.active-directory.authorization-clients.graph.scopes=openid,pr
 
 # Management Endpoints
 management.endpoints.web.exposure.include=health,info,metrics
-management.endpoint.health.show-details=always
+management.endpoint.health.show-details=when-authorized
 
 # Flyway Migration
 spring.flyway.enabled=true