How do you turn off swagger-ui in production
Solution 1
Put your swagger configuration into separate configuration class and annotate it with @Profile
annotation -> so that it will be scanned into Spring context only in certain profiles.
Example:
@Configuration
@EnableSwagger2
@Profile("dev")
public class SwaggerConfig {
// your swagger configuration
}
You can than define profile your Spring Boot app is operating in via command line: --spring.profiles.active=dev
or via config file: spring.profiles.active=dev
.
Read this section of Spring Boot docs for more info about @Profile
Solution 2
If you are working on multiple environments then you can also use @Profile as array
@Configuration
@EnableSwagger2
@Profile({"dev","qa"})
public class SwaggerConfig {
// your swagger configuration
}
Solution 3
with swagger 3.0.0 version you can add springfox.documentation.enabled=false
in corresponding environment profile application.properties
file. For example, I have added this to application-prod.properties
to disable in production (while running the app you must specify the profile using VM args like -Dspring.profiles.active=prod
)
Solution 4
This is my configuration class:
@Configuration
@Profile("swagger")
@EnableSwagger2
public class SwaggerConfig {
@Value("${info.build.version}")
private String buildVersion;
@Bean
public Docket documentation() {
return new Docket(DocumentationType.SWAGGER_2)
.select()
.apis(RequestHandlerSelectors.any())
.paths(regex("/rest/.*"))
.build()
.pathMapping("/")
.apiInfo(metadata());
}
private ApiInfo metadata() {
return new ApiInfoBuilder()
.title("API documentation of our App")
.description("Use this documentation as a reference how to interact with app's API")
.version(buildVersion)
.contact(new Contact("Dev-Team", "https://dev-website", "dev@mailbox"))
.build();
}
}
Wherever I need Swagger, I add the profile swagger
to the environment variable SPRING_PROFILES_ACTIVE
Solution 5
In addition to the answers configuring Spring using a profile, consider having rules on your reverse HTTP proxy to block access to the Swagger end points from outside the LAN. That would give you some defence in depth against attacks on the Swagger end points.
user301693
Updated on July 10, 2022Comments
-
user301693 almost 2 years
I have swagger plugged in to my spring boot application. Spring boot allows you to have property files for each environment that you have. Is there a way to disable swagger for a production environment?
-
user301693 almost 8 yearswe've done this and it appears that the extension -> swagger-ui.html still appears even though the guts of the api's aren't showing. Is there a way to make it so the swagger-ui.html doesn't even get produced?
-
g00glen00b almost 8 years@user301693 If you're using Maven you can load the swagger dependencies within a specific Maven profile, that should do the trick I guess.
-
luboskrnac almost 8 years@g00glen00b, and have different artifacts for PROD than for other environments? I guess QA and OPS guys wouldn't be very happy with that.
-
kryger over 6 yearsThis essentially duplicates the other, much older answer (i.e. "use profile")
-
gstackoverflow over 6 years/swagger-ui.html still available but there is no methods. Is there way to forbid URL ?
-
gstackoverflow over 6 years/swagger-ui.html still available but there is no methods. Is there way to forbid URL ?
-
Stéphane GRILLON over 6 yearsdo not work, the HTML page is display (not with REST API but display anyway)
-
luboskrnac over 6 yearsCorrect, this approach turns off only back-end. Please refer to SO question provided by @gstackoverflow
-
Pervez over 5 yearsYes it is valid I also want to know why down vote... thanks Jin Kwon
-
vijay over 5 yearsI think this is more neater way of enabling swagger on demand, instead of disabling for some profiles.
-
Oleg almost 5 yearsI know it's an old question, but we use @Profile("!prod") to avoid specifying tons of other profiles explicitly. Hope it helps somebody.
-
Michał Króliczek over 4 yearsIt is not from me the downvote but this will disable json endpoints only probably and not webjar ui page?
-
Tungata almost 3 yearsThank you a lot for this simple answer. It works!
-
Daniel Hári over 2 yearsnot working with swagger 3
-
Trevor about 2 yearsIn case you're using SpringDoc, it has a similar alternative: springdoc.api-docs.enabled=false
-
Namo almost 2 yearssince v1.1.16 property was changed:
springdoc.api-docs.enabled=false