disable "/v3/api-docs", and "/swagger-ui.html" by default and upgrade to Scalar 0.2.1 #3090
Conversation
|
i have merged with the latest version. |
|
Making it disabled by default would be better. You could introduce a new property like From previous experience, I've found that people typically disable SpringDoc via You might say this is a noob mistake, but in reality, the mistake is made by principal-level developers, and it passes both internal and external penetration testing. No one catches it for months in production, until a curious junior developer (me at one of my previous companies) discovers it by accident. There may still be other systems/companies where this issue hasn't been discovered yet, so it's better to disable it by default and ensure users familiarize themselves with your library before enabling it. Note that I sent the same concern to Scalar via email, and they accepted it: scalar/scalar#6781 (Of course, I also sent the same concern to SpringDoc via email) I agree with you that it may seem overkill, but when you look at it from the user's perspective, it makes sense. Also, in 2024, the CVE board updated the CNA rules, including the following:
So what do you think? Thank you for your effort in providing the Spring ecosystem with this library which makes our lives easier. |
|
This change seems like a breaking change. Does not SpringDoc use semantic versioning? |
3 participants
Disable SpringDoc by default to maintain alignment with Scalar (scalar/scalar#6781) and ensure that the default configuration follows secure-by-default principles.