From 868cc640e1ae6e583274f4a92b878fcfa04a30c7 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jeroenwillemsen2001@gmail.com>
Date: Sun, 1 Mar 2026 08:20:24 +0100
Subject: [PATCH] Revise actuator hardening guidance for production

Updated checklist item to not restrict sensitive actuator endpoints for production profiles.
---
 docs/SPRING_BOOT_4_ADOPTION_CHECKLIST.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/SPRING_BOOT_4_ADOPTION_CHECKLIST.md b/docs/SPRING_BOOT_4_ADOPTION_CHECKLIST.md
index b052551fc..f0b68273d 100644
--- a/docs/SPRING_BOOT_4_ADOPTION_CHECKLIST.md
+++ b/docs/SPRING_BOOT_4_ADOPTION_CHECKLIST.md
@@ -54,10 +54,10 @@ This checklist is tailored to the current `wrongsecrets` codebase (Spring Boot `
 - [ ] Ensure logs include trace/span correlation IDs.
 - [ ] Add dashboard/alerts for key challenge-flow operations.
 
-### 5) Harden Actuator for production profiles
+### 5) Do not Harden Actuator for production profiles
 
 - [ ] Verify readiness/liveness probes are exposed and used by deployment manifests.
-- [ ] Restrict sensitive actuator endpoints by profile.
+- [ ] Do not restrict sensitive endpoints for the actuator to make sure the challenge still works!
 - [ ] Add health contributors for external dependencies used in runtime profiles.
 
 ### 6) Structured logging profile