Add logs to notify when SpringDocs/Scalar is enabled because SpringDocs/Scalar is enabled by default (#3090)

[zakaria-shahen]

Add logs to notify when SpringDocs/Scalar is enabled (#3090)

Since the SpringDoc team disagrees with disabling SpringDocs/Scalar by default #3090 (like Scalar does scalar/scalar#6781).
we can use an alternative approach to achieve the same result: notify developers who may be unaware about SpringDocs behavior.

Background:

@bnasslahsen

Making it disabled by default would be better. You could introduce a new property like springdoc.scalar.enabled to allow users to enable or disable it, rather than relying on scalar.enabled.

From previous experience, I've found that people typically disable SpringDoc via springdoc.swagger-ui.enabled only in production profiles, without realizing for several months that their other endpoints remain exposed to the internet through /v3/api-docs.

You might say this is a noob mistake, but in reality, the mistake is made by principal-level developers, and it passes both internal and external penetration testing. No one catches it for months in production, until a curious junior developer (me at one of my previous companies) discovers it by accident.

There may still be other systems/companies where this issue hasn't been discovered yet, so it's better to disable it by default and ensure users familiarize themselves with your library before enabling it.

Note that I sent the same concern to Scalar via email, and they accepted it: scalar/scalar#6781 (Of course, I also sent the same concern to SpringDoc via email)

I agree with you that it may seem overkill, but when you look at it from the user's perspective, it makes sense.

Also, in 2024, the CVE board updated the CNA rules, including the following:

• 4.1.4 Insecure default configuration settings SHOULD be determined to be vulnerabilities

So what do you think?

Thank you for your effort in providing the Spring ecosystem with this library which makes our lives easier.