I have a question regarding a project generated with PHPMaker. After deploying the application to a live server, I noticed that the Swagger API documentation (accessible via /swagger) is publicly available to anyone without requiring authentication.
I would like to restrict access to the Swagger page so that only authorized users (e.g., logged-in users) can view it.
Is there a recommended way within PHPMaker to secure or disable access to the Swagger interface?
If not configurable directly from the PHPMaker UI, can I protect the route by adding a login check or custom condition in the routes.php or index.php file?
I would appreciate any guidance or best practices on how to properly secure this part of the application.
Although the page is public, the data is still protected by PHPMaker’s Advanced Security. Users cannot access data without login. If you only allow logged in user to access, and you are using v2025, you can use Access Control, e.g. in Global Vode
Note that /swagger/index.html is static HTML file, you cannot disable it by PHP. You need to do it by, e.g. .htaccess, of your web server. Above settings only disable access to the backend PHP, when you send request via the /swagger/index.html, your access is denied.
Ok, thanks.
I’m using IIS. In case anyone is interested, here’s how I blocked all access except from localhost.
Install the windows feature: IIS / WWW Services / Security / IP Security.
Then, in an elevated command prompt:
cd %windir%\system32\inetsrv
appcmd.exe set config "Default Web Site/swagger" -section:system.webServer/security/ipSecurity -allowUnlisted:False /commit:apphost
appcmd.exe set config "Default Web Site/swagger" -section:system.webServer/security/ipSecurity /+"[ipAddress='127.0.0.1',allowed='True']" /commit:apphost
Don’t forget to change “Default Web Site” to your site name.