diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/AccessLevel.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/AccessLevel.java
index 15f1c3e598..fe556f2a17 100644
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/AccessLevel.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/AccessLevel.java
@@ -39,6 +39,8 @@ enum AccessLevel {
 	 */
 	FULL;
 
+	private static final String REQUEST_ATTRIBUTE = "cloudFoundryAccessLevel";
+
 	private final List<String> endpointPaths;
 
 	AccessLevel(String... endpointPaths) {
@@ -55,7 +57,11 @@ enum AccessLevel {
 	}
 
 	public void put(HttpServletRequest request) {
-		request.setAttribute("cloudFoundryAccessLevel", this);
+		request.setAttribute(REQUEST_ATTRIBUTE, this);
+	}
+
+	public static AccessLevel get(HttpServletRequest request) {
+		return (AccessLevel) request.getAttribute(REQUEST_ATTRIBUTE);
 	}
 
 }
diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryDiscoveryMvcEndpoint.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryDiscoveryMvcEndpoint.java
index adb10e79d7..a270e18a41 100644
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryDiscoveryMvcEndpoint.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryDiscoveryMvcEndpoint.java
@@ -54,8 +54,12 @@ class CloudFoundryDiscoveryMvcEndpoint extends AbstractMvcEndpoint {
 			url = url.substring(0, url.length() - 1);
 		}
 		links.put("self", Link.withHref(url));
+		AccessLevel accessLevel = AccessLevel.get(request);
 		for (NamedMvcEndpoint endpoint : this.endpoints) {
-			links.put(endpoint.getName(), Link.withHref(url + "/" + endpoint.getName()));
+			if (accessLevel != null && accessLevel.isAccessAllowed(endpoint.getPath())) {
+				links.put(endpoint.getName(),
+						Link.withHref(url + "/" + endpoint.getName()));
+			}
 		}
 		return Collections.singletonMap("_links", links);
 	}
diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryDiscoveryMvcEndpointTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryDiscoveryMvcEndpointTests.java
index 1795d82c36..ab105964bd 100644
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryDiscoveryMvcEndpointTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryDiscoveryMvcEndpointTests.java
@@ -39,12 +39,14 @@ public class CloudFoundryDiscoveryMvcEndpointTests {
 
 	private CloudFoundryDiscoveryMvcEndpoint endpoint;
 
+	private Set<NamedMvcEndpoint> endpoints;
+
 	@Before
 	public void setup() {
-		NamedMvcEndpoint testMvcEndpoint = new TestMvcEndpoint(new TestEndpoint("a"));
-		Set<NamedMvcEndpoint> endpoints = new LinkedHashSet<NamedMvcEndpoint>();
-		endpoints.add(testMvcEndpoint);
-		this.endpoint = new CloudFoundryDiscoveryMvcEndpoint(endpoints);
+		NamedMvcEndpoint endpoint = new TestMvcEndpoint(new TestEndpoint("a"));
+		this.endpoints = new LinkedHashSet<NamedMvcEndpoint>();
+		this.endpoints.add(endpoint);
+		this.endpoint = new CloudFoundryDiscoveryMvcEndpoint(this.endpoints);
 	}
 
 	@Test
@@ -56,6 +58,7 @@ public class CloudFoundryDiscoveryMvcEndpointTests {
 	public void linksResponseWhenRequestUriHasNoTrailingSlash() throws Exception {
 		MockHttpServletRequest request = new MockHttpServletRequest("GET",
 				"/cloudfoundryapplication");
+		AccessLevel.FULL.put(request);
 		Map<String, CloudFoundryDiscoveryMvcEndpoint.Link> links = this.endpoint
 				.links(request).get("_links");
 		assertThat(links.get("self").getHref())
@@ -68,6 +71,7 @@ public class CloudFoundryDiscoveryMvcEndpointTests {
 	public void linksResponseWhenRequestUriHasTrailingSlash() throws Exception {
 		MockHttpServletRequest request = new MockHttpServletRequest("GET",
 				"/cloudfoundryapplication/");
+		AccessLevel.FULL.put(request);
 		Map<String, CloudFoundryDiscoveryMvcEndpoint.Link> links = this.endpoint
 				.links(request).get("_links");
 		assertThat(links.get("self").getHref())
@@ -76,6 +80,23 @@ public class CloudFoundryDiscoveryMvcEndpointTests {
 				.isEqualTo("http://localhost/cloudfoundryapplication/a");
 	}
 
+	@Test
+	public void linksResponseWhenRequestHasAccessLevelRestricted() throws Exception {
+		NamedMvcEndpoint testHealthMvcEndpoint = new TestMvcEndpoint(
+				new TestEndpoint("health"));
+		this.endpoints.add(testHealthMvcEndpoint);
+		MockHttpServletRequest request = new MockHttpServletRequest("GET",
+				"/cloudfoundryapplication/");
+		AccessLevel.RESTRICTED.put(request);
+		Map<String, CloudFoundryDiscoveryMvcEndpoint.Link> links = this.endpoint
+				.links(request).get("_links");
+		assertThat(links.get("self").getHref())
+				.isEqualTo("http://localhost/cloudfoundryapplication");
+		assertThat(links.get("health").getHref())
+				.isEqualTo("http://localhost/cloudfoundryapplication/health");
+		assertThat(links.get("a")).isNull();
+	}
+
 	private static class TestEndpoint extends AbstractEndpoint<Object> {
 
 		TestEndpoint(String id) {