API Platform version(s) affected:
I tested this on 3.4.* in combination with Symfony.
Description
When the API entrypoint is requested with an OpenAPI-related Accept header (or format suffix), the response serializes the internal ResourceNameCollection as full PHP class names (FQCNs) instead of public API identifiers (e.g. shortName, IRIs, or route paths).
This exposes internal application structure to any client that can reach the entrypoint.
Example response
GET /index.jsonopenapi
Accept: application/vnd.openapi+json
{
"resourceNameCollection": [
"ApiPlatform\\State\\ApiResource\\Error",
"ApiPlatform\\Symfony\\Validator\\Exception\\ValidationException",
"ApiPlatform\\Validator\\Exception\\ValidationException"
]
}In real applications, this list also includes application resource classes (e.g. App\\Entity\\...), revealing namespace layout and code organization that is not exposed via the normal OpenAPI documentation endpoint.
How to reproduce
-
Set up an API Platform 3.x project with one or more ApiResource classes.
-
Keep the entrypoint enabled (enable_entrypoint: true, default).
-
Request the entrypoint with OpenAPI content negotiation:
curl -H 'Accept: application/vnd.openapi+json' https://example.com/index
# or
curl -s https://your-application.dev/index.jsonopenapi
-
Observe that the response contains PHP FQCNs in resourceNameCollection.
The same behavior is visible on the official demo:
curl -s "https://demo.api-platform.com/index.jsonopenapi"
By contrast, the documentation endpoint does not expose FQCNs:
curl -s "https://demo.api-platform.com/docs.jsonopenapi" | grep "App\\\\"
# → no matches
Possible Solution
Change the default value of enable_entrypoint from true to false in https://github.com/api-platform/symfony/blob/main/Bundle/DependencyInjection/Configuration.php#L131.
Production deployments should be safe by default. Today, enabling the entrypoint exposes internal PHP class names via resourceNameCollection, which leaks application structure to anyone who can reach the endpoint. That is easy to miss because:
- The config name (
enable_entrypoint) does not clearly signal an information disclosure risk
- The leak only appears on the entrypoint route, not on
/docs
- Many projects enable API docs in production without realizing the entrypoint is a separate, discoverable surface
Requiring an explicit opt-in aligns with a secure-by-default posture: if a project wants API discovery via the entrypoint, it should turn that on deliberately in configuration.
Additional Context
API Platform version(s) affected:
I tested this on 3.4.* in combination with Symfony.
Description
When the API entrypoint is requested with an OpenAPI-related
Acceptheader (or format suffix), the response serializes the internalResourceNameCollectionas full PHP class names (FQCNs) instead of public API identifiers (e.g.shortName, IRIs, or route paths).This exposes internal application structure to any client that can reach the entrypoint.
Example response
{ "resourceNameCollection": [ "ApiPlatform\\State\\ApiResource\\Error", "ApiPlatform\\Symfony\\Validator\\Exception\\ValidationException", "ApiPlatform\\Validator\\Exception\\ValidationException" ] }In real applications, this list also includes application resource classes (e.g.
App\\Entity\\...), revealing namespace layout and code organization that is not exposed via the normal OpenAPI documentation endpoint.How to reproduce
Set up an API Platform 3.x project with one or more
ApiResourceclasses.Keep the entrypoint enabled (
enable_entrypoint: true, default).Request the entrypoint with OpenAPI content negotiation:
Observe that the response contains PHP FQCNs in
resourceNameCollection.The same behavior is visible on the official demo:
curl -s "https://demo.api-platform.com/index.jsonopenapi"By contrast, the documentation endpoint does not expose FQCNs:
Possible Solution
Change the default value of
enable_entrypointfromtruetofalsein https://github.com/api-platform/symfony/blob/main/Bundle/DependencyInjection/Configuration.php#L131.Production deployments should be safe by default. Today, enabling the entrypoint exposes internal PHP class names via
resourceNameCollection, which leaks application structure to anyone who can reach the endpoint. That is easy to miss because:enable_entrypoint) does not clearly signal an information disclosure risk/docsRequiring an explicit opt-in aligns with a secure-by-default posture: if a project wants API discovery via the entrypoint, it should turn that on deliberately in configuration.
Additional Context