Anyone with an API link can see all endpoints if the documentation is enabled in production environment.
I would like to be able to disable the API documentation through the service center and only in the production environment; Today it is only possible to disable the documentation of an API through service studio and when you do this, later when publishing this application in other environments it disables it for other environments.
In a penetration test, the tester only had the link:
https://name.outsystementerprise.com/Vuln/rest/MyFirstApi/GetClient?ClientId={ClientId}
However, all he has to do is delete part of the URL and in production he will be able to see all the available endpoints of this api:
https://name.outsystementerprise.com/Vuln/rest/MyFirstApi/
Thinking about security, if documentation is enabled, all endpoints are exposed to view the structure, which greatly increases the area of exploration.
I would like to be able to control in which environment and which API the documentation is active, for example, in the development environment, keep the documentation enabled, in the production environment, disable all API documentation.
Today this is not possible, because you can only disable the documentation in the service estudio, and even if I open the service estudio in production and disable the api documentation, when I do another deploy the documentation will be enabled again, because in the development environment would be active.
I think it would be interesting for the infrastructure administrator to be able to enable or disable API documentation directly through the service center, and can also disable it in a single environment, or in a single application in a single environment.
With this, the administrator would be able to leave the documentation active in the development environment, and in the production environment only the documentation for the endpoints he wants.
Guys, if there is any way to do this through the service center, I apologize, but I didn't find it.