Sensitive Endpoint Discloser

Hi all,
Currently i am founding one issue related to the security facing below issue
when we remove everything from url and fire direct request to “/api/user/v1/” endpoint
we get following json data which disclose sensitive endpoints existing on API
“users”: “http://localhost:18000/user_api/v1/users/”,
“user_prefs”: “http://localhost:18000/user_api/v1/user_prefs/

I just want to know that why this API show the below response and where is the view of this api url to know the exact reason behind this.
as i want to throw 403 for this api response as i want to authenticate API.
so please guide me on what can I do. Thanks in Advance :slightly_smiling_face:

Humm, why do you think those are sensitive?, For example I can know many endpoints by checking browser development console, and see url of each request. And assuming we hide it around auth, those endpoints would be known if someone is autheticated and checks their dev console.

Also many endpoints would be knows by just going to , or just see the source code

Similar to @ghassan, I don’t think this is a security concern, additionally because the code is open source.

I think this is probably coming from the default functionality of WebTransaction/Function/rest_framework.routers:APIRootView.get.

@ghassan @robrap thanks for the insightful post!