This PR adds support to enable the open API route in the production build output.
Resolves #2418 (experimentally!)
New configs (openAPI: {})
production
false - (default) does not expose openapi.json to the production
runtime - Add runtime event handlers
prerender - Prerender swagger JSON and UIs
route: Default is /_openapi.json
ui.scalar
can be false to disable scalar UI (default is on)
route: Default is /_scalar
ui.swagger
can be false to disable swagger UI (default is on)
route: Default is /_swagger
[!NOTE]
New routes removed /_nitro prefix to be simpler.
Security
Production rotues are explicit opt-in to make sure users deliberately want to expose available routes in the production and make necessary protection if needed.
production: 'runtime'
Ideally before moving the OpenAPI feature to stable, we will have guard route rules to allow a hookable method to protect routes.
In the meantime, in this mode a server middleware can be used to protect
production: 'prerender'
Prerender mode is most efficient because the JSON output is literally a constant response but the case is, the deployment presets that natively have a CDN (netlify, cloudflare, vercel, etc) never hit nitro server and in this mode, protection should be considered on CDN level somehow.
This PR adds support to enable the open API route in the production build output.
Resolves #2418 (experimentally!)
New configs (
openAPI: {}
)production
false
- (default) does not expose openapi.json to the productionruntime
- Add runtime event handlersprerender
- Prerender swagger JSON and UIsroute
: Default is/_openapi.json
ui.scalar
false
to disable scalar UI (default is on)route
: Default is/_scalar
ui.swagger
false
to disable swagger UI (default is on)route
: Default is/_swagger
Security
Production rotues are explicit opt-in to make sure users deliberately want to expose available routes in the production and make necessary protection if needed.
production: 'runtime'
Ideally before moving the OpenAPI feature to stable, we will have guard route rules to allow a hookable method to protect routes.
In the meantime, in this mode a server middleware can be used to protect
production: 'prerender'
Prerender mode is most efficient because the JSON output is literally a constant response but the case is, the deployment presets that natively have a CDN (netlify, cloudflare, vercel, etc) never hit nitro server and in this mode, protection should be considered on CDN level somehow.