Best practices for Swagger UI in production

Question

I'm working on a REST API with a Swagger UI. When it comes time to expose the API, should I expose the Swagger UI as well? If so, how would I package it into my application. Currently, I have the UI downloaded from the GitHub and am storing it in a folder alongside my project.

I'm using Go (with the Echo framework) to write the API.

Answer 1

There can be security Threats if swagger exposed to production and can be accessed publicly like :

• Increased attack surface: Swagger becomes an additional entry point that can be targeted by potential Denial-of-Service (DoS) attacks.

• Information exposure: Swagger exposes detailed documentation about your API endpoints, request/response structures, and data models.

• Injection vulnerabilities: The exposed information in Swagger, including data formats, input validation, and implementation details, can aid attackers in launching injection attacks. Ex- SQL injection or cross-site scripting (XSS), can manipulate or compromise data and system.

• Unauthorized access risks: Improper configuration of Swagger can result in unauthorized access to sensitive API endpoints or functionality.

Answer 2

We should not enable swagger in production due to security threats. In.net core version 6.0 version, we can protect it with the below code in Program.cs.

if(!app.Environment.IsProduction())    
{        
    app.UseSwaggerUI(c =>        
        {    
            c.SwaggerEndpoint("/swagger/v1/swagger.json", "My Service");    
            c.RoutePrefix = string.Empty;  // Set Swagger UI at apps root    
        });
}