Abp/ServiceProxyScript and auto generated in the ProductionΒ #23437
Description
Is there an existing issue for this?
- I have searched the existing issues
Description
Hi team π
I have a question regarding the default ABP endpoints such as:
-
/Abp/ServiceProxyScript -
/Abp/ConfigurationScript -
and similar auto-generated endpoints
I noticed that these endpoints expose internal metadata such as controller routes, parameter names, and DTO shapes. When accessed publicly (e.g., from the browser), they return JavaScript that reveals details about the backend services.
My concern is:
Are these endpoints meant to be publicly exposed in a production environment?
β What is the best practice for these endpoints in a production environment?
Should these endpoints remain publicly accessible?
Or is it recommended to restrict access (e.g., via authentication or network rules)?
Should they be disabled completely if not used?
Additionally:
β If I block these endpoints at the NGINX layer (e.g., using location /Abp/ { deny all; }), will it have any negative impact on the system β especially if Iβm not using dynamic proxy generation on the frontend?
Any official guidance on how to handle these endpoints securely in production would be appreciated.
Thanks for your support and for the great work on ABP!
Version
9
Operation System
macOS
Solution Configuration
No response
Other information
No response