Blog

OpenAPI, Swagger UI, and testing CORS on documented endpoints

Swagger in the browser is still a web app—authorize carefully and separate internal vs public docs.

Published: 2025-02-01Updated: 2025-03-151 min read

openapiswaggertesting

Hosted Swagger risks

Public Swagger without auth exposes operation details—gate it when the API is not meant to be fully public.

If Swagger runs on a different origin than the API, CORS must allow that documentation origin.

Contract tests should assert required security headers on sample routes, not only JSON bodies.

Include OPTIONS probes in CI for routes that expect custom headers from browsers.