Closed wsalembi closed 1 year ago
Should this apply to the whole of /doc/* ?
Maybe it's a business decision up to providers to only expose its API documentation to users with a specific role (e.g. hide deprecated versions, targeted information, ...) vs. openness (API economy). Restricting access to EXTRANET or INTERNAL access channel is just one way of limiting access to a group of users IMO.
Mentioning access channel in the guide may however be a bit too specific to Social Security.
we can remain more general in the guide: Access should at least be allowed to /doc/* content to any (potential) user of the API
I'll create a PR for this change
PR #97 ready for review.
Also, some technical challenges with the doc resources were also brought up during WG, but won't be included in the guide because they can be product-specific:
Add a small addition to https://www.belgif.be/specification/rest/api-guide/#doc-resource
The standard resource /doc/swagger.yaml can be defined as a non-secure resource. Make sure the specification only contains publicly available documentation (no sensitive, personal or secret data) and is only exposed to the access channel (INTERNET, EXTRANET, INTERNAL) where the API is hosted. (cfr Application Security decision dd. 09/06/2022)
/doc/swagger.yaml: security: []
/doc/openapi.yaml: security: []