Should view description be excluded from OPTIONS response by default?

[dennisvang]

Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Possibly related to #5999

Description

As a relatively new, and rather naive, user of DRF, I was a bit surprised to see that my view's docstrings are returned in the "description" field of the response to an OPTIONS request.

I understand how this can be a very useful feature. However, if you are not aware of the fact, it also introduces a potential security risk, as it may leak information that was intended for in-house developers' eyes only.

I guess there could be a long (or very short) discussion, at this point, about docstring best-practices, and, how, perhaps, sensitive notes should not be included in a docstring in the first place.

However, I think we can safely say there are two facts:

1. whether by accident or by intention, sensitive information will sometimes end up in a view's docstring

2. not all DRF users will be aware that, by default, the view's docstring is returned as part of an OPTIONS response

Sure, the documentation provides an example of how to remove the docstring from the response, but that means you have to know about it first.

I think awareness is the key issue here.

For this reason I ask:

Shouldn't the inclusion of the view's docstring in the OPTIONS response be optional, instead of default?

Steps to reproduce

Request OPTIONS from any DRF view that has a docstring.

Expected behavior

I would expect the docstring NOT to be returned in the OPTIONS response, by default.

Actual behavior

The OPTIONS response includes the view docstring in the "description" field, by default. We have to disable this manually, as described, for example, in the documentation.

[dennisvang]

Ideas, anyone?

Also see e.g. https://medium.com/workindia-in/stop-django-rest-framework-from-leaking-your-docstrings-336c0df91656

[auvipy]

we have to think about it.