How to remove swagger production .net core 2.1

Question

I have swagger working on multiple microservices. When deploying to Azure we need to remove all together the option of swagger due to security best practices. Working with .net core 2.1 Looking for example of definitions.

Answer 1

First, what "security best practices"? There's nothing wrong with having your API documentation in production. That's actually kind of the whole point: clients should be able to look at the documentation so that they can properly use your API. If these microservices aren't exposed to be used by external clients, then it's even less of an issue, because no one outside can get to the service or the documentation, anyways. If the services are exposed, then they should also be requiring requests to be authorized, and the documentation itself can be locked down via the same mechanism.

Regardless, if you insist on removing this in production, your best bet is to never add it there in the first place. In other words, wrap all your Swagger setup in Startup.cs with if (env.IsDevelopment()) or if you want it available in things like a staging environment: if (!env.IsProduction()).

Answer 2

If you're coming at this from .net core 3.1:

Assuming that the Startup class' constructor copies the injected IConfiguration to a local field called configuration, then you can setup the Configure method like so:

public void configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    var applicationName = configuration.GetValue<string>("ApplicationName") ?? "MyApi";
    var basePath = configuration.GetValue<string>("BasePath");
    if (!string.IsNullOrEmpty(basePath))
        app.UsePathBase(basePath);

    if (!env.IsProduction())
    {
        app.UseSwagger();
        app.UseSwaggerUI(c =>
        {
            c.SwaggerEndpoint($"{basePath}/swagger/v1/swagger.json",
                                $"{applicationName} {ReflectionUtils.GetAssemblyVersion<Program>()}");
        });
    }
}