flask-restplus icon indicating copy to clipboard operation
flask-restplus copied to clipboard

Published 20 hours ago verified publisher icon noirbizarre

Disable swagger.json

Open thejamesmarq opened this issue 6 years ago • 8 comments

In production I'd like to be able to hide the documentation and specs for an API.

I am currently able to prevent documentation from rendering by creating my API with

Api(app, doc=False)

but this still allows someone to navigate to /swagger.json and retrieve the file.

It might be worthwhile being able to disable exposing the swagger spec from the app with an option like

Api(app, doc=False, specs=False)

which would make /swagger.json come back with 404 as expected.

thejamesmarq avatar Jun 04 '18 21:06 thejamesmarq

Did you ever find a way to make this work? Trying to disable swagger.json as well.

fxrhxn avatar Sep 14 '18 15:09 fxrhxn

Hi,

I'm curious about why you'd want to hide the specification of your API. Could you elaborate?

Thanks

Colin-b avatar Sep 14 '18 17:09 Colin-b

For enterprise world-available applications. Securing a REST API may consist in encrypting its connection (HTTPS), adding JWT/Oauth2 etc, and also hiding the swagger.json in order to prevent any hacker or crawler to discover the entry points...

On Fri, Sep 14, 2018 at 7:27 PM Colin Bounouar [email protected] wrote:

Hi,

I'm curious about why you'd want to hide the specification of your API. Could you elaborate?

Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/noirbizarre/flask-restplus/issues/464#issuecomment-421428697, or mute the thread https://github.com/notifications/unsubscribe-auth/ABNOwjZkqnnbb0QHXn_2uVwn_lTuK1o7ks5ua-cBgaJpZM4UZ0ln .

myselfhimself avatar Sep 21 '18 08:09 myselfhimself

Once your endpoints are using authentication+authorization as you said it should be ok imho.

I wouldn't consider security by obfuscation as an effective additional security but I get that some people do.

Thx for the reply.

Colin-b avatar Sep 21 '18 10:09 Colin-b

I agree with @Colin-b, I don't consider this as effective security. But I understand the need and I'm just waiting for the test cases to merge #465.

In the meantime, I'm sure you are not serving flask applications without a reverse-proxy and if so, obfuscating the swagger.json URL is as simple as writing a rule to forbid it (or hide if you prefer 404).

noirbizarre avatar Sep 21 '18 16:09 noirbizarre

There can be an argument made that while hiding the documentation of API endpoints may not be considered as effective security, it still is a valid point in protecting business intelligence.

casparjespersen avatar Aug 23 '19 06:08 casparjespersen

Is this going to be merged? Definitely agree there is a valid use case where you couldn't want to expose the swagger.json.

BenC14 avatar Oct 29 '19 17:10 BenC14

Hi

Is there an update on this? I'm looking for this enhancement as well.

ravaiyapuri avatar Mar 26 '20 02:03 ravaiyapuri