Protecting the Magento 2 API

in MagentoSecurity

Update 31-3: The Magento team released security update Magento 2.0.3 on March 30th. This release contains a security fix that restricts access to anonymous web APIs. Read more.
We recommend you to update your Magento version to Magento 2.0.3 instead of blocking the API.

In March 2016, Paul Bosselaar and others discovered that the Magento 2 API by default discloses information that can be considered private:

  • All products, including offline/disabled products, pricing rules, stock information. A competitor could monitor your stock and see exactly how many products you sell and when.
  • Admin token generation. This requires admin credentials, but there is no rate limit. Magento forced an obscured admin login url, but that is of no use when an attacker can brute force the API.
  • Site and store configuration. The API will tell you which other stores/URLs are configured for this shop.

At the time of writing, Magento has responded that “this is as designed”. We discussed this with our partners and some were highly surprised. So to be on the safe side, we have protected unauthorized access for specific API methods for all our customers.

Some quick conclusions:
Your shop is running on Hypernode? We have got you covered!
You’re shop is hosted somewhere else? See below for instructions

I use Hypernode

Several API methods that might leak confidential data are protected by default:

V1/products
V1/store/storeViews
V1/store/storeConfigs

If you need to allow one or more of these urls to be accessable, you can easily modify the default configuration. Log in on your Hypernode and edit the file nginx/server.magento2api. Modify the lines of the following block:

location ~ ^/(pub/)?(rest|soap)(/.+)?/V1/(products|store/storeViews|store/storeConfigs)/?$ {
        return https://support.hypernode.com/knowledgebase/protecting-the-magento-2-api/;
}

When full access to the API is needed, the easiest way to do this is done with > nginx/server.magento2api to emtpy the file. An alternative would be to put all the lines in comment to deactivate the protection.

If you do not require the API, it is recommended to block it entirely. Edit the file nginx/server.magento2api, remove all lines and add:

location ~ ^/(pub/)?(rest|soap)/ {
      return 403;
}

I do not use Hypernode

You will need to do some extra work yourself. First, contact your hosting provider and ask them to help you. Otherwise you can block the API using .htaccess in case of Apache. Perhaps the Nginx rules above might work, but we do not provide support on them for non-Hypernode environments. Good luck!

 

0