Avoid always-on Spring Boot health details in external profiles
`management.endpoint.health.show-details=always` (or YAML equivalent) publishes detailed health payloads to any caller, which often leaks dependency and infrastructure facts.
#Metadata
#Why it matters
Detailed health should be reserved for authenticated operators or internal networks; `always` removes that gate for anonymous clients.
#Remediation
Switch to `when-authorized`, protect `/actuator/**` with Spring Security, and keep verbose health on internal-only ports or profiles.
#Repository path
The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.spring-actuator-health-details-always.rule.yaml.