MB-R095
Public API and GraphQL surfaces should expose only intended functionality and should not reveal admin-only, customer-private, or debugging capabilities. Excessive API exposure increases attack surface for enumeration, data scraping, and authorization bypass. Review enabled modules, route definitions, schema exposure, and production settings to ensure only required endpoints are reachable.
GraphQL and REST endpoints can reveal more functionality than intended, especially when custom modules expose schemas, debug fields, admin-only operations, or broad collection queries. Excessive exposure increases the attack surface for enumeration and data scraping.
Minimizing API exposure keeps public surfaces focused on required storefront behavior and makes authorization easier to reason about.
grep -RIE "schema.graphqls|webapi.xml" app/code vendor/*/*/etc 2>/dev/null
# Identify public anonymous resources and broad query surfaces
# Confirm debug/test endpoints are disabled and unused APIs are not publicly reachable
<resource ref="anonymous" /> on a route returning customer/order data.
# Excessive exposure → FAIL
API route requires customer token or scoped admin integration and returns only required fields.
# Exposure minimized → PASS