How do you turn off swagger-ui in production

java spring spring-boot swagger swagger-ui

62,296

Solution 1

Put your swagger configuration into separate configuration class and annotate it with @Profile annotation -> so that it will be scanned into Spring context only in certain profiles.

Example:

@Configuration
@EnableSwagger2
@Profile("dev")
public class SwaggerConfig {
    // your swagger configuration
}

You can than define profile your Spring Boot app is operating in via command line: --spring.profiles.active=dev or via config file: spring.profiles.active=dev.

Read this section of Spring Boot docs for more info about @Profile

Solution 2

If you are working on multiple environments then you can also use @Profile as array

@Configuration
@EnableSwagger2
@Profile({"dev","qa"})
public class SwaggerConfig {
   // your swagger configuration
}

Solution 3

with swagger 3.0.0 version you can add springfox.documentation.enabled=false in corresponding environment profile application.properties file. For example, I have added this to application-prod.properties to disable in production (while running the app you must specify the profile using VM args like -Dspring.profiles.active=prod)

Solution 4

This is my configuration class:

@Configuration
@Profile("swagger")
@EnableSwagger2
public class SwaggerConfig {

    @Value("${info.build.version}")
    private String buildVersion;

    @Bean
    public Docket documentation() {
        return new Docket(DocumentationType.SWAGGER_2)
                .select()
                .apis(RequestHandlerSelectors.any())
                .paths(regex("/rest/.*"))
                .build()
                .pathMapping("/")
                .apiInfo(metadata());
    }

    private ApiInfo metadata() {
        return new ApiInfoBuilder()
                .title("API documentation of our App")
                .description("Use this documentation as a reference how to interact with app's API")
                .version(buildVersion)
                .contact(new Contact("Dev-Team", "https://dev-website", "dev@mailbox"))
                .build();
    }
}

Wherever I need Swagger, I add the profile swagger to the environment variable SPRING_PROFILES_ACTIVE

Solution 5

In addition to the answers configuring Spring using a profile, consider having rules on your reverse HTTP proxy to block access to the Swagger end points from outside the LAN. That would give you some defence in depth against attacks on the Swagger end points.

View more solutions

62,296

Author by

user301693

Updated on July 10, 2022

Comments

user301693 almost 2 years

I have swagger plugged in to my spring boot application. Spring boot allows you to have property files for each environment that you have. Is there a way to disable swagger for a production environment?
user301693 almost 8 years

we've done this and it appears that the extension -> swagger-ui.html still appears even though the guts of the api's aren't showing. Is there a way to make it so the swagger-ui.html doesn't even get produced?
g00glen00b almost 8 years

@user301693 If you're using Maven you can load the swagger dependencies within a specific Maven profile, that should do the trick I guess.
luboskrnac almost 8 years

@g00glen00b, and have different artifacts for PROD than for other environments? I guess QA and OPS guys wouldn't be very happy with that.
kryger over 6 years

This essentially duplicates the other, much older answer (i.e. "use profile")
gstackoverflow over 6 years

/swagger-ui.html still available but there is no methods. Is there way to forbid URL ?
gstackoverflow over 6 years

/swagger-ui.html still available but there is no methods. Is there way to forbid URL ?
Stéphane GRILLON over 6 years

do not work, the HTML page is display (not with REST API but display anyway)
luboskrnac over 6 years

Correct, this approach turns off only back-end. Please refer to SO question provided by @gstackoverflow
Pervez over 5 years

Yes it is valid I also want to know why down vote... thanks Jin Kwon
vijay over 5 years

I think this is more neater way of enabling swagger on demand, instead of disabling for some profiles.
Oleg almost 5 years

I know it's an old question, but we use @Profile("!prod") to avoid specifying tons of other profiles explicitly. Hope it helps somebody.
Michał Króliczek over 4 years

It is not from me the downvote but this will disable json endpoints only probably and not webjar ui page?
Tungata almost 3 years

Thank you a lot for this simple answer. It works!
Daniel Hári over 2 years

not working with swagger 3
Trevor about 2 years

In case you're using SpringDoc, it has a similar alternative: springdoc.api-docs.enabled=false
Namo almost 2 years

since v1.1.16 property was changed: springdoc.api-docs.enabled=false