Disable swagger.json

[thejamesmarq]

In production I'd like to be able to hide the documentation and specs for an API.

I am currently able to prevent documentation from rendering by creating my API with

Api(app, doc=False)

but this still allows someone to navigate to /swagger.json and retrieve the file.

It might be worthwhile being able to disable exposing the swagger spec from the app with an option like

Api(app, doc=False, specs=False)

which would make /swagger.json come back with 404 as expected.

[fxrhxn]

Did you ever find a way to make this work? Trying to disable swagger.json as well.

[Colin-b]

Hi,

I'm curious about why you'd want to hide the specification of your API. Could you elaborate?

Thanks

[myselfhimself]

For enterprise world-available applications. Securing a REST API may consist in encrypting its connection (HTTPS), adding JWT/Oauth2 etc, and also hiding the swagger.json in order to prevent any hacker or crawler to discover the entry points...

…

On Fri, Sep 14, 2018 at 7:27 PM Colin Bounouar ***@***.***> wrote: Hi, I'm curious about why you'd want to hide the specification of your API. Could you elaborate? Thanks — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#464 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNOwjZkqnnbb0QHXn_2uVwn_lTuK1o7ks5ua-cBgaJpZM4UZ0ln> .

[Colin-b]

Once your endpoints are using authentication+authorization as you said it should be ok imho.

I wouldn't consider security by obfuscation as an effective additional security but I get that some people do.

Thx for the reply.

[noirbizarre]

I agree with @Colin-b, I don't consider this as effective security. But I understand the need and I'm just waiting for the test cases to merge #465.

In the meantime, I'm sure you are not serving flask applications without a reverse-proxy and if so, obfuscating the swagger.json URL is as simple as writing a rule to forbid it (or hide if you prefer 404).

[casparjespersen]

There can be an argument made that while hiding the documentation of API endpoints may not be considered as effective security, it still is a valid point in protecting business intelligence.