By default all sensitive HTTP endpoints are secured such that only users that have an ACTUATOR role may access them. Security is enforced using the standard HttpServletRequest.isUserInRole method.
We can disable security using -
management.security.enabled=false
It is suggested to disable security only if the actuator endpoints are accessed behind firewall.