Best practices for Swagger UI in production

Asked 4/6, 2020 at 18:27 Answered 10/7, 2023 at 14:22

I'm working on a REST API with a Swagger UI. When it comes time to expose the API, should I expose the Swagger UI as well? If so, how would I package it into my application. Currently, I have the UI downloaded from the GitHub and am storing it in a folder alongside my project.

I'm using Go (with the Echo framework) to write the API.

Accordingly answered 4/6, 2020 at 18:27 Comment(4)

Why you want to expose swagger UI publicly ? I normally use swag for developers and not use it in production. – Percentage 4/6, 2020 at 18:46

Apologies, by publicly, I meant to other developers at the company. Just so they understand what endpoints are available for use. – Accordingly 4/6, 2020 at 19:0

I don't store doc in github, when needed you can use the command to generate again, and for developing you can do that like if appEnv != "PRODUCTION" { e.GET("/swagger/*", echoSwagger.WrapHandler)} – Percentage 4/6, 2020 at 19:6

Ah okay I see, that makes sense. Thank you! – Accordingly 4/6, 2020 at 19:44

There can be security Threats if swagger exposed to production and can be accessed publicly like :

Increased attack surface: Swagger becomes an additional entry point that can be targeted by potential Denial-of-Service (DoS) attacks.
Information exposure: Swagger exposes detailed documentation about your API endpoints, request/response structures, and data models.
Injection vulnerabilities: The exposed information in Swagger, including data formats, input validation, and implementation details, can aid attackers in launching injection attacks. Ex- SQL injection or cross-site scripting (XSS), can manipulate or compromise data and system.
Unauthorized access risks: Improper configuration of Swagger can result in unauthorized access to sensitive API endpoints or functionality.

Rissole answered 10/7, 2023 at 14:22 Comment(0)

We should not enable swagger in production due to security threats. In.net core version 6.0 version, we can protect it with the below code in Program.cs.

if(!app.Environment.IsProduction())    
{        
    app.UseSwaggerUI(c =>        
        {    
            c.SwaggerEndpoint("/swagger/v1/swagger.json", "My Service");    
            c.RoutePrefix = string.Empty;  // Set Swagger UI at apps root    
        });
}

Voiture answered 25/2, 2022 at 13:12 Comment(5)

What kind of security threats are there when you use swagger in production? – Cita 30/1, 2023 at 21:16

Yeah, what security threads are you talking about? – Disorder 16/4, 2023 at 11:36

Probably no direct threats per se, but unless there's a good reason to include it in production, why would you give would-be attackers a blueprint to your API? – Varney 12/5, 2023 at 13:42

You should exclude it at compile time, not runtime. If you don't need it, it should not be there. – Philoprogenitive 25/11, 2023 at 21:36

Swagger is meant to be a blueprint to your API @ChristopherBurgdorff lol , simply secure your API or don't expose one. – Acea 6/4 at 17:26

Recommended topics

Hot tags