If there's a security flaw in your code, it will still exist.

Hiding the documentation just makes it more difficult to understand how to interact with your API, and could make it more difficult for you to debug it in production. It could be considered simply a form of [Security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity).

If you want to secure your API, there are several better things you can do, for example:

# Settings and Environment Variables { #settings-and-environment-variables }

In many cases your application could need some external settings or configurations, for example secret keys, database credentials, credentials for email services, etc.

Most of these settings are variable (can change), like database URLs. And many could be sensitive, like secrets.

For this reason it's common to provide them in environment variables that are read by the application.

/// tip

package com.google.common.eventbus;

import static com.google.common.base.Preconditions.checkNotNull;

import com.google.common.base.MoreObjects;

/**
 * Wraps an event that was posted, but which had no subscribers and thus could not be delivered.
 *
 * <p>Registering a DeadEvent subscriber is useful for debugging or logging, as it can detect
 * misconfigurations in a system's event distribution.
 *
 * @author Cliff Biffle
 * @since 10.0
 */

     */
    protected int destroyProcess(final String sessionId, final JobProcess jobProcess) {
        if (jobProcess != null) {
            final InputStreamThread ist = jobProcess.getInputStreamThread();
            try {
                ist.interrupt();
            } catch (final Exception e) {
                logger.warn("Could not interrupt a thread of an input stream.", e);

	keyBytes, err := os.ReadFile("./testdata/invalid_test_key.pub")
	if err != nil {
		c.Fatalf("could not read test key file: %s", err)
	}

	testKey, _, _, _, err := ssh.ParseAuthorizedKey(keyBytes)
	if err != nil {
		c.Fatalf("could not parse test key file: %s", err)
	}

	newSSHCon := newSSHConnMock("dillon=ldap")
	_, err = sshPubKeyAuth(newSSHCon, testKey)

# OpenAPI Callbacks { #openapi-callbacks }

You could create an API with a *path operation* that could trigger a request to an *external API* created by someone else (probably the same developer that would be *using* your API).

It has a `GET` operation that could return an error.

It has a `POST` operation that could return several errors.

Both *path operations* require an `X-Token` header.

{* ../../docs_src/app_testing/app_b_an_py310/main.py *}

### Extended testing file { #extended-testing-file }

You could then update `test_main.py` with the extended tests:

Now, let's see how you could use that to return a custom response.

Let's say that you want to return an [XML](https://en.wikipedia.org/wiki/XML) response.

You could put your XML content in a string, put that in a `Response`, and return it:

Here are some examples of when that could make sense:

#### A Simple App { #a-simple-app }

You could want a process manager in the container if your application is **simple enough** that can run it on a **single server**, not a cluster.

#### Docker Compose { #docker-compose }

                                <div class="form-group row">
                                    <span class="font-weight-bold col-sm-3 text-sm-right col-form-label"><la:message
                                            key="labels.web_api_json_enabled"/></span>
                                    <div class="form-inline col-sm-9">
                                        <la:errors property="webApiJson"/>