I have an ASP.NET Core 8 web API. I have disabled Swagger documentation in production, but the endpoints shown below are still available for use. For example, I can still use the register
endpoint in Postman even though I can't see the Swagger documentation.
The only endpoints that I need in production are login
and refresh
. Users do not create their own accounts or manage passwords. I don't see these endpoints in the code like the endpoints I have added in controllers. How can I prevent access to these endpoints in my production site?
Somewhere in your code, you make a call to MapIdentityApi
, which adds all identity endpoints and is not configurable. See the source code
You should get rid of your call to MapIdentityApi
and copy the login
and refresh
endpoints from the source code mentioned above to your own controller or minimal api.