On 24/8/23 07:13, Jeffrey Walton wrote:
Hi Everyone,
I was looking at our Special:Version page, and got to thinking about
api.php [1] and rest.php.[2] I don't believe anyone on our team is
using the APIs,
People don't use them. Scripts use them, on behalf of people. The
people don't know
Controller is the frontend js so it makes the request on behalf of the user
(and not internally server-side) so basically there is no way to
distinguish between a request coming from browser and an attacker.
Technically, you could block any browser-like UA but that can be easily
spoofed.
Am Do.,
On Wed, Aug 23, 2023 at 10:16 PM Amir Sarabadani wrote:
>
> You could technically decline access in apache (or whatever software you're
> using).
>
> But I need to warn: Many functionalities of mediawiki are done by calling the
> API in the backend, e.g. when you log out, it calls an API, when
You could technically decline access in apache (or whatever software you're
using).
But I need to warn: Many functionalities of mediawiki are done by calling
the API in the backend, e.g. when you log out, it calls an API, when you
watch a page, it calls another API, and all of those would break
