删除 swagger production .net core 2.1

首先，什么是安全最佳实践"?将 API 文档用于生产并没有错.这实际上是重点:客户应该能够查看文档，以便他们可以正确使用您的 API.如果这些微服务不被外部客户端使用，那么问题就更小了，因为无论如何，外部没有人可以访问服务或文档.如果服务是公开的，那么它们也应该要求对请求进行授权，并且可以通过相同的机制锁定文档本身.

First, what "security best practices"? There's nothing wrong with having your API documentation in production. That's actually kind of the whole point: clients should be able to look at the documentation so that they can properly use your API. If these microservices aren't exposed to be used by external clients, then it's even less of an issue, because no one outside can get to the service or the documentation, anyways. If the services are exposed, then they should also be requiring requests to be authorized, and the documentation itself can be locked down via the same mechanism.

无论如何，如果您坚持在生产环境中删除它，您最好的选择是一开始就不要添加它.换句话说，使用 if (env.IsDevelopment()) 将所有 Swagger 设置包装在 Startup.cs 中，或者如果您希望它在暂存环境之类的东西中可用:<代码>if (!env.IsProduction()).

Regardless, if you insist on removing this in production, your best bet is to never add it there in the first place. In other words, wrap all your Swagger setup in Startup.cs with if (env.IsDevelopment()) or if you want it available in things like a staging environment: if (!env.IsProduction()).

这篇好文章是转载于：学新通技术网