validator-badge icon indicating copy to clipboard operation
validator-badge copied to clipboard
verified publisher icon swagger-api

Publish a privacy policy

Open dolmen opened this issue 10 years ago • 3 comments

As the validator is fetching specs that may be private (for example from a privately hosted version of swagger-ui), this may lead users to leak private API specs to your service. It would be helpful for trust to publish a privacy policy about what the public instance of validator at online.swagger.io does server-side:

  • how are handled the URIs of spec file submitted to the validator? (logged? for how long?)
  • how are handled the content of spec downloaded by the validator? (cached? stored?)
  • what is the User-agent of the validator in HTTP headers? Does it respects /robots.txt?

dolmen avatar Oct 05 '15 14:10 dolmen

Good points. First off, the online validator is only capable of fetching from publicly-available specs. That means anything behind the firewall is unaccessible by the validator. This is intentional.

Next, one can push specs to the validator with POST methods. This bypasses the availability constraint above and could send private information into the service (it is unused by the UI and one would need to explicitly code this)

Lastly, the exact source code that is deployed online is available in this repo. As you can see, no funny business.

To answer your other questions:

  • Not cached
  • Specs are never stored when retrieved in any manner
  • Does not respect robots.txt because the request to the spec is explicit from a user and not part of a crawl.

fehguy avatar Oct 05 '15 17:10 fehguy

Some specs may be IP restricted. Could you publish the IP range the swagger backend servers will use to access the specification?

yinzara avatar Mar 25 '16 18:03 yinzara

IP Range? If the spec is public, the server will be able to access it. If not, it will fail.

fehguy avatar Mar 25 '16 19:03 fehguy