diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
index 094d63f35c6..a949a8b44e7 100644
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
@@ -221,7 +221,13 @@ public class ManagementSecurityAutoConfiguration {
 		List<String> paths = new ArrayList<String>(endpoints.size());
 		for (MvcEndpoint endpoint : endpoints) {
 			if (endpoint.isSensitive() == secure) {
-				paths.add(endpointHandlerMapping.getPrefix() + endpoint.getPath());
+				String path = endpointHandlerMapping.getPrefix() + endpoint.getPath();
+				paths.add(path);
+				if (secure) {
+					// Add Spring MVC-generated additional paths
+					paths.add(path + "/");
+					paths.add(path + ".*");
+				}
 			}
 		}
 		return paths.toArray(new String[paths.size()]);
diff --git a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java
index 8b0325874bf..7721c5690eb 100644
--- a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java
@@ -70,6 +70,23 @@ public class SampleActuatorApplicationTests {
 				.containsKey("Set-Cookie"));
 	}
 
+	@Test
+	public void testMetricsIsSecure() throws Exception {
+		@SuppressWarnings("rawtypes")
+		ResponseEntity<Map> entity = new TestRestTemplate().getForEntity(
+				"http://localhost:8080/metrics", Map.class);
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
+		entity = new TestRestTemplate().getForEntity(
+				"http://localhost:8080/metrics/", Map.class);
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
+		entity = new TestRestTemplate().getForEntity(
+				"http://localhost:8080/metrics/foo", Map.class);
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
+		entity = new TestRestTemplate().getForEntity(
+				"http://localhost:8080/metrics.json", Map.class);
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
+	}
+
 	@Test
 	public void testHome() throws Exception {
 		@SuppressWarnings("rawtypes")