Manual talk:$wgEnableAPI

Latest comment: 10 years ago by 88.130.77.56

Why would someone want to disable the API? Leucosticte (talk) 04:47, 26 January 2014 (UTC)Reply

There are many possible reasons for that. E.g. for improved security or because he is not needing the API just to name some. --88.130.77.56 04:51, 26 January 2014 (UTC)Reply
How does it improve security to keep people from using the API for non-write operations? Leucosticte (talk) 05:04, 26 January 2014 (UTC)Reply
Information disclosure does not necessarily need write access. --88.130.77.56 05:07, 26 January 2014 (UTC)Reply
Maybe there should be more options than just on/off for read access; which API modules pose more of a security threat? Leucosticte (talk) 05:20, 26 January 2014 (UTC)Reply
Which API actions actually are most dangerous cannot be said easily, I think. If they all work the way they should, then all should be secure. Generally the biggest potential for harm comes from those, which allow you to actually write or to get much information. But when there are security holes in the code, then these thoughts become secondary; it then really depends on the impact of the vulnerability.
You mean on/off switches e.g. for the single actions? Yes, would make sense. --88.130.77.56 14:35, 26 January 2014 (UTC)Reply
Return to "$wgEnableAPI" page.