Search code examples
asp.net-coreswagger-uiswashbuckle.aspnetcore

Swagger/Swashbuckle - Can I mask sensitive information in the request UI?

I'm using Swashbuckle.AspNetCore to generate swagger and include the Swagger UI with my Web API project.

In order to mask a password field's entry, I implemented an ISchemaFilter as described here. (Basically it just adds "format": "password" to the field's schema in the swagger.json.)

This works for field entry:

password entry field with masked characters

...but after I send the request, the password is displayed in plain-text:

enter image description here

How can I hide the password text in these fields?

Solution

  • Swagger UI does not mask passwords or API keys in the generated cURL commands. As one of the developers explains:

    think of the cURL command as a way to repeat the exact network request that happened in Swagger UI, outside of the UI

    So there's no way to fully mask the passwords, apart from forking Swagger UI and implementing this functionality yourself.


    On a side note, never send passwords in the query string. Send them in the request body instead.