feat: disable directory listings for static files (#12229)

* feat: disable directory listings for static files Static file server handles serving static asset files (js, css, etc). The default file server would also list all files in a directory. This has been changed to only serve files.
2025-07-03 16:13:58 +00:00 · 2024-02-20 15:50:30 -06:00
parent 2dac34276a
commit 07cccf9033
5 changed files with 91 additions and 14 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -1067,6 +1067,14 @@ func New(options *Options) *API {
 		// See globalHTTPSwaggerHandler comment as to why we use a package
 		// global variable here.
 		r.Get("/swagger/*", globalHTTPSwaggerHandler)
+	} else {
+		swaggerDisabled := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			httpapi.Write(context.Background(), rw, http.StatusNotFound, codersdk.Response{
+				Message: "Swagger documentation is disabled.",
+			})
+		})
+		r.Get("/swagger", swaggerDisabled)
+		r.Get("/swagger/*", swaggerDisabled)
 	}

 	// Add CSP headers to all static assets and pages. CSP headers only affect