You could technically decline access in apache (or whatever software you're using).
But I need to warn: Many functionalities of mediawiki are done by calling the API in the backend, e.g. when you log out, it calls an API, when you watch a page, it calls another API, and all of those would break if you disable the api.php or rest.php HTH Am Mi., 23. Aug. 2023 um 23:14 Uhr schrieb Jeffrey Walton < [email protected]>: > Hi Everyone, > > I was looking at our Special:Version page, and got to thinking about > api.php [1] and rest.php.[2] I don't believe anyone on our team is > using the APIs, and I would like to disable them to reduce attack > surface. Or disable them on external interfaces (or maybe allow on > localhost/127.0.0.1). > > I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a > similar option for rest.php.[2] > > I have two questions. First, is it possible to disable api.php and > rest.php in practice? Or restrict them to internal interfaces only? > > Second, what option controls rest.php? > > And maybe a third question, can we rename api.php and rest.php tosay, > api.php.unused and rest.php.unused? Will that produce ill effects? > > Thanks in advance. > > [1] https://www.mediawiki.org/wiki/Manual:Api.php > [2] https://www.mediawiki.org/wiki/Manual:Rest.php > _______________________________________________ > MediaWiki-l mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/ > -- Amir (he/him)
_______________________________________________ MediaWiki-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
