Secure Configuration for Hiding Client ID and Client Secret in Swagger OAuth Configuration

[dsmabulage]

Is there an existing issue that is already proposing this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe it

The issue is that sensitive information, such as the client ID and client secret, is exposed in the Swagger documentation. Although custom CSS can hide these elements from view, they can still be accessed through browser developer tools. This can pose a security risk, especially if sensitive credentials are inadvertently exposed to unauthorized third parties.

Describe the solution you'd like

I propose adding a configuration parameter to the Swagger setup in NestJS that allows for the complete and secure hiding of sensitive information such as client IDs and client secrets. This configuration would ensure that these credentials are hidden from view and the DOM, preventing any possibility of accessing them through developer tools. This could be achieved by:

1. Providing an option to disable the inclusion of sensitive information in the Swagger UI setup.
2. Ensuring that credentials are not included in the Swagger documentation output, thus fully safeguarding them from unauthorized access.

Teachability, documentation, adoption, migration strategy

No response

What is the motivation / use case for changing the behavior?

Enhance the security of sensitive information in the Swagger documentation. By completely hiding client IDs and client secrets through a configuration parameter, developers can ensure that these credentials are not exposed to unauthorized users or third parties. This is crucial for protecting sensitive information and maintaining the security and integrity of the application

[kamilmysliwiec]

Please, report this issue in the swagger-ui-dist repository