Written by Steve Perry
Published on

Magento 2 API discloses sensitive information

This week it was discovered that the Magento 2 API by default discloses sensitive information about your store such as product database information (hidden/disabled products, pricing rules and stock details), the otherwise obfuscated admin URL and which other storefronts are running on the same website.

Magento responded saying that “this is as designed” but it’s insecure regardless and I recommend closing your API to public access. Here’s how.

You can check in MageReport if your API is open. At the end of the day this one’s up to you but I personally don’t like the idea of having this information freely available.

If you have a Magento 2 store and would like me to close the API for you then get in touch today or call 01782 954282.

Steve Perry Creative Ltd

Studio and registered office: 4 Back Lane, Brown Edge, Staffordshire ST6 8QS.

Copyright © 2012 – 2023 Steve Perry Creative Ltd., unless otherwise noted.

Registered in England & Wales, number 08354632.


Typeset in Söhne Kräftig and Söhne Buch, by Klim Type Co.

Set as 32/64, 24/32, 20/32, and 12/16 on an 8px/96px grid.

Colour palette selected for AAA contrast.