Web API – Remove the Help Page

A simple but very important point to remember when deploying your ASP.Net Web Api to the Production Environment.

If you have created your ASP.Net Web Api from the template provided by visual studio, this last will add some nugget packages and controllers which you might need to uninstall / exclude once you deploy into production.

I have been approached for this question, where a colleague developer did notice that the ~/help was still there, and  that it could be a potential security risk.

There are couple of solutions to fix this issue:

1. Web Config approach

I can add this entry in the web.config which will exclude the help section from the web api.

<add key="ExcludeHelpPage" value="false" />

With this approach, I can have the help available for Debug, and removed once the code is published into Prod (Release mode), using the web.config Transform

2. From the solution content

A more radical solution, is to :

1- Remove the helpPage Nugget package

2- Exclude the areas/help folder from the solution.

3- Finally, remove the route to the /help controller.

3. Override the Controller

If you prefer a simpler solution, browse to the contrllers folder, select the help controller,

Replace the return view, by a return null.