Description
I'd like to enable only the graphql endpoint, and completely disable REST. Leaving it open is a potential security issue, as it means maintaining two different protocols.
Perhaps a flag could be added to https://api-platform.com/docs/core/configuration/, such as enable_rest, to control whether REST routes are enabled.
#2796 raised this problem, but it was closed years ago, so I'm opening a new issue. It describes overriding ApiLoader, which still works in version 4.3.3 (just return new RouteCollection(); in load()) but means patching code in vendor.
I'm happy to send a PR if I get a guideline of the implementation.
Example
api_platform:
enable_rest: false
Description
I'd like to enable only the graphql endpoint, and completely disable REST. Leaving it open is a potential security issue, as it means maintaining two different protocols.
Perhaps a flag could be added to https://api-platform.com/docs/core/configuration/, such as
enable_rest, to control whether REST routes are enabled.#2796 raised this problem, but it was closed years ago, so I'm opening a new issue. It describes overriding
ApiLoader, which still works in version 4.3.3 (justreturn new RouteCollection();inload()) but means patching code invendor.I'm happy to send a PR if I get a guideline of the implementation.
Example