[LOW] Swagger UI is enabled in all environments including production

[aatmmr]

Summary

Swagger/OpenAPI documentation UI is unconditionally enabled for all environments, including production. This exposes the full API surface, endpoint schemas, and parameter details to potential attackers.

Description

In src/Program.cs (lines 121–122):

app.UseSwagger();
app.UseSwaggerUI();

These calls are not wrapped in an environment check. In production:

• Attackers can browse the full API schema at /swagger.
• All endpoint parameters, types, and response shapes are visible.
• This information aids in crafting targeted attacks against the API.
• Internal or admin endpoints (like DELETE /api/v1/gods) are publicly documented.

Implementation

1. Wrap Swagger registration in a development environment check:

   if (app.Environment.IsDevelopment())
   {
       app.UseSwagger();
       app.UseSwaggerUI();
   }

2. If Swagger is needed in staging/QA environments, use a more targeted check:

   if (!app.Environment.IsProduction())
   {
       app.UseSwagger();
       app.UseSwaggerUI();
   }

3. Alternatively, protect the Swagger endpoint with authentication in production.
4. Verify the change by running the app with ASPNETCORE_ENVIRONMENT=Production and confirming /swagger returns 404.

References

• src/Program.cs, lines 121–122 — unconditional Swagger registration
• ASP.NET Core Swagger docs: https://learn.microsoft.com/en-us/aspnet/core/tutorials/web-api-help-pages-using-swagger
• OWASP API Security: https://owasp.org/API-Security/