我在多个微服务上大摇大摆地工作.部署到 Azure 时,由于安全最佳实践,我们需要一起删除 swagger 选项.使用 核心 2.1寻找定义的例子.
I have swagger working on multiple microservices. When deploying to Azure we need to remove all together the option of swagger due to security best practices. Working with core 2.1 Looking for example of definitions.
推荐答案首先,什么是安全最佳实践"?将 API 文档用于生产并没有错.这实际上是重点:客户应该能够查看文档,以便他们可以正确使用您的 API.如果这些微服务不被外部客户端使用,那么问题就更小了,因为无论如何,外部没有人可以访问服务或文档.如果服务是公开的,那么它们也应该要求对请求进行授权,并且可以通过相同的机制锁定文档本身.
First, what "security best practices"? There's nothing wrong with having your API documentation in production. That's actually kind of the whole point: clients should be able to look at the documentation so that they can properly use your API. If these microservices aren't exposed to be used by external clients, then it's even less of an issue, because no one outside can get to the service or the documentation, anyways. If the services are exposed, then they should also be requiring requests to be authorized, and the documentation itself can be locked down via the same mechanism.
无论如何,如果您坚持在生产环境中删除它,您最好的选择是一开始就不要添加它.换句话说,使用 if (env.IsDevelopment()) 将所有 Swagger 设置包装在 Startup.cs 中,或者如果您希望它在暂存环境之类的东西中可用:if (!env.IsProduction()).
Regardless, if you insist on removing this in production, your best bet is to never add it there in the first place. In other words, wrap all your Swagger setup in Startup.cs with if (env.IsDevelopment()) or if you want it available in things like a staging environment: if (!env.IsProduction()).
更多推荐
如何删除 swagger production .net core 2.1
发布评论