← Back to Baseline

MB-R095

GraphQL and API exposure minimized

C03 Secure Coding Practices Medium

Public API and GraphQL surfaces should expose only intended functionality and should not reveal admin-only, customer-private, or debugging capabilities. Excessive API exposure increases attack surface for enumeration, data scraping, and authorization bypass. Review enabled modules, route definitions, schema exposure, and production settings to ensure only required endpoints are reachable.

Why it Matters

GraphQL and REST endpoints can reveal more functionality than intended, especially when custom modules expose schemas, debug fields, admin-only operations, or broad collection queries. Excessive exposure increases the attack surface for enumeration and data scraping.

Minimizing API exposure keeps public surfaces focused on required storefront behavior and makes authorization easier to reason about.

Verification Steps

Schema and route review

grep -RIE "schema.graphqls|webapi.xml" app/code vendor/*/*/etc 2>/dev/null
# Identify public anonymous resources and broad query surfaces

Production endpoint check

# Confirm debug/test endpoints are disabled and unused APIs are not publicly reachable

Remediation / Fix Guidance

  1. Disable unused modules or API routes that are not required in production.
  2. Avoid anonymous access unless the endpoint is intentionally public.
  3. Remove debug fields and internal data from GraphQL schemas.
  4. Apply pagination, filtering limits, and authorization checks to collection endpoints.
  5. Document public API surfaces and review them during releases.

Examples

Fail Example
<resource ref="anonymous" /> on a route returning customer/order data.
# Excessive exposure → FAIL
Pass Example
API route requires customer token or scoped admin integration and returns only required fields.
# Exposure minimized → PASS

References