Securing the Swagger Page

Hello,

I have a question regarding a project generated with PHPMaker. After deploying the application to a live server, I noticed that the Swagger API documentation (accessible via /swagger) is publicly available to anyone without requiring authentication.

I would like to restrict access to the Swagger page so that only authorized users (e.g., logged-in users) can view it.

Is there a recommended way within PHPMaker to secure or disable access to the Swagger interface?
If not configurable directly from the PHPMaker UI, can I protect the route by adding a login check or custom condition in the routes.php or index.php file?

I would appreciate any guidance or best practices on how to properly secure this part of the application.

Thank you in advance for your support.

Best regards,

Although the page is public, the data is still protected by PHPMaker’s Advanced Security. Users cannot access data without login. If you only allow logged in user to access, and you are using v2025, you can use Access Control, e.g. in Global Vode

AddListener(ConfigurationEvent::NAME, function (ConfigurationEvent $event) {
    $controls = $event->get("SECURITY.access_control");
    $controls = [["path" => '^/swagger', "roles" => "IS_AUTHENTICATED_FULLY"]] + $controls;
    $event->set("SECURITY.access_control", $controls);
});
1 Like

This is not working. I added it to the global code and unauthenticated users can still access /swagger.

Note that /swagger/index.html is static HTML file, you cannot disable it by PHP. You need to do it by, e.g. .htaccess, of your web server. Above settings only disable access to the backend PHP, when you send request via the /swagger/index.html, your access is denied.

Ok, thanks.
I’m using IIS. In case anyone is interested, here’s how I blocked all access except from localhost.
Install the windows feature: IIS / WWW Services / Security / IP Security.
Then, in an elevated command prompt:

cd %windir%\system32\inetsrv
appcmd.exe set config "Default Web Site/swagger" -section:system.webServer/security/ipSecurity -allowUnlisted:False /commit:apphost
appcmd.exe set config "Default Web Site/swagger" -section:system.webServer/security/ipSecurity /+"[ipAddress='127.0.0.1',allowed='True']" /commit:apphost

Don’t forget to change “Default Web Site” to your site name.