Magento 2 API discloses sensitive information

This week it was discovered that the Magento 2 API by default discloses sensitive information about your store such as product database information (hidden/disabled products, pricing rules and stock details), the otherwise obfuscated admin URL and which other storefronts are running on the same website.

Magento responded saying that “this is as designed” but it’s insecure regardless and I recommend closing your API to public access. Here’s how.

You can check in MageReport if your API is open. At the end of the day this one’s up to you but I personally don’t like the idea of having this information freely available.

If you have a Magento 2 store and would like me to close the API for you then get in touch today or call 01782 954282.