Magento 2: protect your API

Magento 2 has a very powerful API that can be used to automate almost anything. Most API methods require authentication, but not all. Some methods disclose information which might be considered private. Even though Magento states that this behavior is as designed, not everybody might agree with this design choice. We’re explaining what this “open API” means for your shop, how you check whether your shop has an open API and how to block it.

Effect of an open API

First effect of this open API is that it effectively publishes your product database, including hidden/disabled products, pricing rules and stock details. A malevolent competitor could use this to track when and how many of a product you sell.

Example of your product database:
mag_stock_disclose

Second, the API accepts admin logins. Magento 2 has a compulsory obfuscated admin URL to prevent brute force attacks, but this benefit is negated by the open API.

Third, it also discloses which other storefronts are running on the same shop.

How to block your API

Magento states that this behavior is “as designed” but not everybody might agree with this design choice. This is why, as a precaution, we have blocked the most revealing API methods for our Hypernode customers (of course you can easily enable them).

If you are not on Hypernode and are not currently using the API, it is recommended to block API access altogether. In Nginx you could use this rule:

Try it for yourself. If you have a Magento 2 shop, try these URLs:

You can also consult your webserver logs to check if somebody has been API spying on you:

Check your Magento 2 API

We’ve added a check in MageReport to see if your API aces is open for everyone.
Check if your Magento 2 has an open API at MageReport

Are you a Magento specialist?

We need you in our team, to help developers save time 🙂