litellm - ✅(Solved) Fix [Feature]: Add `NO_OPENAPI` env var to disable `/openapi.json` endpoint [1 pull requests, 1 participants]

jonemo · 2026-04-10T23:11:38Z

[litellm] PR 25696: feat proxy : add NO OPENAPI env var to disable /openapi.json endpoint - Repository: BerriAI/litellm - Author: lovek629 - State: closed | me… # PR #25696: feat(proxy): add NO_OPENAPI env var to disable /openapi.json endpoint - Repository: BerriAI/litellm - Author: lovek629 - State: closed | merged: True - Link: https://github.com/BerriAI/litellm/pull/25696 ## Description (problem / solution / changelog) ## Relevant issues Fixes #25538 ## Pre-Submission checklist **Please complete all items before asking a LiteLLM maintainer to review your PR** - [x] I have Added testing in the `tests/proxy_unit_tests/test_proxy_utils.py` file - [ ] My PR passes all unit tests on `make test-unit` - [x] My PR's scope is as isolated as possible, it only solves 1 specific problem - [x] I have requested a Greptile review by commenting `@greptileai` and received a **Confidence Score of at least 4/5** before requesting a maintainer review ## Delays in PR merge? If you're seeing a delay in your PR being merged, ping the LiteLLM Team on [Slack (#pr-review)](https://join.slack.com/t/litellmossslack/shared_invite/zt-3o7nkuyfr-p_kbNJj8taRfXGgQI1~YyA). ## CI (LiteLLM team) - [ ] **Branch creation CI run** - [ ] **CI run for the last commit** - [ ] **Merge / cherry-pick CI run** ## Screenshots / Proof of Fix Feature adds a new env var `NO_OPENAPI=true` which disables the `/openapi.json` endpoint by passing `openapi_url=None` to the FastAPI constructor. No screenshot needed as this is a configuration-only change following the existing `NO_DOCS` and `NO_REDOC` pattern. ## Type 🆕 New Feature ## Changes - Added `_get_openapi_url()` helper function in `litellm/proxy/utils.py` following the exact same pattern as the existing `_get_docs_url()` and `_get_redoc_url()` functions - Added `openapi_url=_get_openapi_url()` to the `FastAPI()` constructor in `litellm/proxy/proxy_server.py` - Added `_get_openapi_url` to the import block in `proxy_server.py` - Added 4 parametrized tests in `tests/proxy_unit_tests/test_proxy_utils.py` covering default, custom URL, disabled, and false cases ## Changed files - `litellm/proxy/proxy_server.py` (modified, +2/-0) - `litellm/proxy/utils.py` (modified, +16/-0) - `tests/proxy_unit_tests/test_proxy_utils.py` (modified, +25/-1) ## Fix / Workaround Currently, `NO_DOCS=true` and `NO_REDOC=true` already disable the Swagger UI and ReDoc pages, but the `/openapi.json` endpoint remains accessible. Users running LiteLLM via the Docker image can't modify the application code directly, so a reverse proxy workaround is needed to block this path. ### Check for existing issues - [x] I have searched the existing issues and checked that my issue is not a duplicate. ### The Feature Add a `NO_OPENAPI` environment variable (or similar) that sets `openapi_url=None` on the FastAPI app constructor, disabling the `/openapi.json` endpoint. This would follow the same pattern already established by `NO_DOCS` and `NO_REDOC`. The implementation would be a small helper function in `litellm/proxy/utils.py` (similar to `_get_docs_url` and `_get_redoc_url`) and passing `openapi_url=` to the `FastAPI()` call in `proxy_server.py`. ### Motivation, pitch Security assessments commonly flag publicly accessible API documentation endpoints as information disclosure vulnerabilities. While the schema itself isn't sensitive, it provides an attacker with a complete map of the API's attack surface, making reconnaissance trivial. Currently, `NO_DOCS=true` and `NO_REDOC=true` already disable the Swagger UI and ReDoc pages, but the `/openapi.json` endpoint remains accessible. Users running LiteLLM via the Docker image can't modify the application code directly, so a reverse proxy workaround is needed to block this path. ### What part of LiteLLM is this about? Proxy ### LiteLLM is hiring a founding backend engineer, are you interested in joining us and shipping to all our users? No ### Twitter / LinkedIn details @jonemo

litellm2026-04-10 23:11:38

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

GitHub stats

BerriAI/litellm#25538•Fetched 2026-04-11 06:13:31

View on GitHub

Comments

Participants

Timeline

Reactions

Author

jonemo

Participants

jonemo

Timeline (top)

labeled ×2mentioned ×1subscribed ×1

Fix Action

Fix / Workaround

Currently, NO_DOCS=true and NO_REDOC=true already disable the Swagger UI and ReDoc pages, but the /openapi.json endpoint remains accessible. Users running LiteLLM via the Docker image can't modify the application code directly, so a reverse proxy workaround is needed to block this path.

PR fix notes

PR #25696: feat(proxy): add NO_OPENAPI env var to disable /openapi.json endpoint

Repository: BerriAI/litellm
Author: lovek629
State: closed | merged: True
Link: https://github.com/BerriAI/litellm/pull/25696

Description (problem / solution / changelog)

Relevant issues

Fixes #25538

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

I have Added testing in the tests/proxy_unit_tests/test_proxy_utils.py file
My PR passes all unit tests on make test-unit
My PR's scope is as isolated as possible, it only solves 1 specific problem
I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

Delays in PR merge?

If you're seeing a delay in your PR being merged, ping the LiteLLM Team on Slack (#pr-review).

CI (LiteLLM team)

Branch creation CI run
CI run for the last commit
Merge / cherry-pick CI run

Screenshots / Proof of Fix

Feature adds a new env var NO_OPENAPI=true which disables the /openapi.json endpoint by passing openapi_url=None to the FastAPI constructor. No screenshot needed as this is a configuration-only change following the existing NO_DOCS and NO_REDOC pattern.

Type

🆕 New Feature

Changes

Added _get_openapi_url() helper function in litellm/proxy/utils.py following the exact same pattern as the existing _get_docs_url() and _get_redoc_url() functions
Added openapi_url=_get_openapi_url() to the FastAPI() constructor in litellm/proxy/proxy_server.py
Added _get_openapi_url to the import block in proxy_server.py
Added 4 parametrized tests in tests/proxy_unit_tests/test_proxy_utils.py covering default, custom URL, disabled, and false cases

Changed files

litellm/proxy/proxy_server.py (modified, +2/-0)
litellm/proxy/utils.py (modified, +16/-0)
tests/proxy_unit_tests/test_proxy_utils.py (modified, +25/-1)

RAW_BUFFERClick to expand / collapse

Check for existing issues

I have searched the existing issues and checked that my issue is not a duplicate.

The Feature

Add a NO_OPENAPI environment variable (or similar) that sets openapi_url=None on the FastAPI app constructor, disabling the /openapi.json endpoint.

This would follow the same pattern already established by NO_DOCS and NO_REDOC. The implementation would be a small helper function in litellm/proxy/utils.py (similar to _get_docs_url and _get_redoc_url) and passing openapi_url= to the FastAPI() call in proxy_server.py.

Motivation, pitch

Security assessments commonly flag publicly accessible API documentation endpoints as information disclosure vulnerabilities. While the schema itself isn't sensitive, it provides an attacker with a complete map of the API's attack surface, making reconnaissance trivial.

What part of LiteLLM is this about?

Proxy

LiteLLM is hiring a founding backend engineer, are you interested in joining us and shipping to all our users?

Twitter / LinkedIn details

@jonemo

extent analysis

TL;DR

To address the security concern, add a NO_OPENAPI environment variable that sets openapi_url=None in the FastAPI app constructor, similar to the existing NO_DOCS and NO_REDOC variables.

Guidance

Implement a helper function in litellm/proxy/utils.py to handle the NO_OPENAPI environment variable, similar to _get_docs_url and _get_redoc_url.
Pass openapi_url=None to the FastAPI() call in proxy_server.py when the NO_OPENAPI environment variable is set.
Verify that the /openapi.json endpoint is no longer accessible when NO_OPENAPI is enabled.
Consider adding documentation for the new NO_OPENAPI environment variable to inform users about this security feature.

Example

# In litellm/proxy/utils.py
def _get_openapi_url():
    if os.environ.get('NO_OPENAPI'):
        return None
    # default openapi url

# In proxy_server.py
app = FastAPI(openapi_url=_get_openapi_url())

Notes

This solution assumes that the NO_OPENAPI environment variable is set to a truthy value (e.g., "true") to disable the /openapi.json endpoint.

Recommendation

Apply workaround by implementing the NO_OPENAPI environment variable, as it provides a simple and effective way to address the security concern without requiring significant changes to the existing codebase.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

#api #inference speed #output truncation #response parsing #environment variable

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.