Protecting Sensitive REST Interface URLs
Anything attached to the router is accessible with the default policy, including the repository. If you do not need such access, deny it in the authorization policy to reduce the attack surface.
In addition, you can deny direct HTTP access to system objects in production, particularly access to
action. As a rule of thumb, do not expose anything that is not used in production.
For an example that shows how to protect sensitive URLs, see "Configure Access Control in