diff --git a/services/submission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java b/services/submission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java
index 080bf1bffd..14b33be287 100644
--- a/services/submission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java
+++ b/services/submission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java
@@ -35,7 +35,11 @@
 @EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
-  private static final String ACTUATOR_ROUTE = "/actuator/**";
+  private static final String ACTUATOR_ROUTE = "/actuator/";
+  private static final String HEALTH_ROUTE = ACTUATOR_ROUTE + "health";
+  private static final String PROMETHEUS_ROUTE = ACTUATOR_ROUTE + "prometheus";
+  private static final String READINESS_ROUTE = ACTUATOR_ROUTE + "readiness";
+  private static final String LIVENESS_ROUTE = ACTUATOR_ROUTE + "liveness";
   private static final String SUBMISSION_ROUTE =
       "/version/v1" + SubmissionController.SUBMISSION_ROUTE;
 
@@ -51,7 +55,7 @@ protected HttpFirewall strictFirewall() {
   @Override
   protected void configure(HttpSecurity http) throws Exception {
     http.authorizeRequests()
-        .mvcMatchers(HttpMethod.GET, ACTUATOR_ROUTE).permitAll()
+        .mvcMatchers(HttpMethod.GET, HEALTH_ROUTE, PROMETHEUS_ROUTE, READINESS_ROUTE, LIVENESS_ROUTE).permitAll()
         .mvcMatchers(HttpMethod.POST, SUBMISSION_ROUTE).permitAll()
         .anyRequest().denyAll()
         .and().csrf().disable();