Fix Shadow API Exposure in Chi

Shadow APIs are undocumented, unmonitored endpoints that bypass standard security controls. In the context of Go's Chi router, this usually manifests as legacy routes, debug handlers, or internal administrative interfaces left exposed to the public internet without authentication middleware. If you can't see it in your Swagger spec but it responds to a GET request, it's a shadow API and a high-risk target for lateral movement.

The Vulnerable Pattern

func main() {
	r := chi.NewRouter()
// Public API
r.Get("/api/v1/status", getStatus)

// SHADOW API: Undocumented, no middleware, forgotten during dev
r.Get("/admin/config", func(w http.ResponseWriter, r *http.Request) {
	// Leaks sensitive environment variables
	json.NewEncoder(w).Encode(os.Environ())
})

http.ListenAndServe(":8080", r)
}

The Secure Implementation

To eliminate Shadow APIs in Chi, you must enforce Route Grouping and Middleware gating. 1) Use chi.Route() or chi.Group() to isolate sensitive endpoints. 2) Apply authentication middleware (JWT, API Keys, or mTLS) to these groups by default. 3) Use environment-based conditional routing to prevent debug handlers from ever being registered in production binaries. 4) Implement automated documentation (like swag or openapi) that is generated directly from your routing logic to ensure the 'observed' API surface matches the 'documented' surface.

func main() {
	r := chi.NewRouter()
	r.Use(middleware.Logger)
	r.Use(middleware.Recoverer)
// Public Routes
r.Group(func(r chi.Router) {
	r.Get("/api/v1/status", getStatus)
})

// Protected Internal Routes - Only registered if explicitly enabled
if os.Getenv("ENABLE_DEBUG_ROUTES") == "true" {
	r.Route("/admin", func(r chi.Router) {
		r.Use(InternalAuthMiddleware) // Enforce strict AuthN/AuthZ
		r.Get("/config", getConfig)
	})
}

http.ListenAndServe(":8080", r)
}