1

Hi Guys I am deploying a django project to elastic-beanstalk on AWS it currently is working fine, however I would like to know if it's a good or bad practice to allow the BrowsableAPIRenderer to be able to handle requests on my browser, I try to find anything related to it but there is really not too much documentation if not any at all. My App has a really strict permission policy, even when I access through the browsable API, it returns the following:

{
    "detail": "Authentication credentials were not provided."
}

however it displays some sort of "information" about the endpoint. It's in that part where I find it difficult to define if I should allow it so that other developers can easily know what is going on, or on the other hand if it is a big risk to be accessible to the public.

2

Dr Jfrost
  • 134
  • 10

1 Answers1

4

You may find this question and its answers useful. Based on this answer, it is true that providing the BrowsableAPIRenderer would help development:

  1. It provides simple UI interface to interact with model objects.
  2. It can provide detailed debugging information.
  3. A list of URLs can be shown in some API root

Based on your current settings, a user would at least need to log on either in DRF login page or Django ADMIN page to see and interact with your API.

You can enable the BrowsableAPI in development but disable it in your production settings following this answer.

In production, I wouldn't want other users, who have write permission, to interact with the APIs via BrowsableAPI. It will force the other users to use the front end app or other secure app to interact with APIs. That would provide a secure layer to forbid descriptive actions done using BrowsableAPI.

Jun Zhou
  • 1,077
  • 1
  • 6
  • 19