Hide swagger docs in prod

[SibiAkkash]

Not sure how useful this is, given that the code is open source 🙈

[punchagan]

But, what's the motivation behind hiding them? Are they a performance hit?

[SibiAkkash]

But, what's the motivation behind hiding them? Are they a performance hit?
No, the motivation wasn't performance.

Enabling docs could potentially be a security threat. (internal routes that we don't expose could be visible this way; if we don't configure auth properly for an endpoint, people could access it etc...).

But all the endpoints can be found in the source code anyways... That's why I don't know whether this is needed.

[punchagan]

We should focus on making sure we don't have any security loop holes like that.. where end-points are exposed without auth, when they shouldn't be. I wouldn't worry too much about docs being a security threat.

[SibiAkkash]

We should focus on making sure we don't have any security loop holes like that.. where end-points are exposed without auth, when they shouldn't be. I wouldn't worry too much about docs being a security threat.

Yes absolutely. I was just making sure to cover our bases lol. This might or might not have been triggered from reading an article where a vulnerability was triggered by docs being left open in prod 🙈. But agree, on your point here

[punchagan]

Yes absolutely. I was just making sure to cover our bases lol. This might or might not have been triggered from reading an article where a vulnerability was triggered by docs being left open in prod 🙈. But agree, on your point here

Maybe we add some tests or a lint check or something, which forces us to make it explicit whether an end-point is open or authenticated.