Hi guys,
One of our clients has been pinged during a security audit due to the Jiwa API. They have requested that we lock down the metadata endpoint.
It appears from https://docs.servicestack.net/auth/restricting-services#hiding-services-from-metadata that while not removing it completely, it is possible to remove all the content from the /metadata endpoint, however this would involve adding [ExcludeMetadata] decorations throughout the Rest API plugin, which would be clobbered with your next update.
Am I missing that you have already catered for this programmatically? If not, 1) is there a solution I can implement now that doesn't alter the Rest API plugin, and 2) could you add a future feature to handle this programmatically, preferably tied to the existing REST API / Debug Mode setting?
Cheers,
Neil