Manual talk:$wgEnableAPI
Latest comment: 10 years ago by 88.130.77.56
Why would someone want to disable the API? Leucosticte (talk) 04:47, 26 January 2014 (UTC)
- There are many possible reasons for that. E.g. for improved security or because he is not needing the API just to name some. --88.130.77.56 04:51, 26 January 2014 (UTC)
- How does it improve security to keep people from using the API for non-write operations? Leucosticte (talk) 05:04, 26 January 2014 (UTC)
- Information disclosure does not necessarily need write access. --88.130.77.56 05:07, 26 January 2014 (UTC)
- Maybe there should be more options than just on/off for read access; which API modules pose more of a security threat? Leucosticte (talk) 05:20, 26 January 2014 (UTC)
- Which API actions actually are most dangerous cannot be said easily, I think. If they all work the way they should, then all should be secure. Generally the biggest potential for harm comes from those, which allow you to actually write or to get much information. But when there are security holes in the code, then these thoughts become secondary; it then really depends on the impact of the vulnerability.
- You mean on/off switches e.g. for the single actions? Yes, would make sense. --88.130.77.56 14:35, 26 January 2014 (UTC)
- Maybe there should be more options than just on/off for read access; which API modules pose more of a security threat? Leucosticte (talk) 05:20, 26 January 2014 (UTC)
- Information disclosure does not necessarily need write access. --88.130.77.56 05:07, 26 January 2014 (UTC)
- How does it improve security to keep people from using the API for non-write operations? Leucosticte (talk) 05:04, 26 January 2014 (UTC)