Hi all, I wanted to start a discussion on whether it might be a good idea to disable the REST API for the AMQ 5.16.0 distribution.
It makes me a bit uneasy that this is enabled by default. It is secured using the same basic auth approach as the web console. The problem here is that the API (correctly) lacks XSRF protection. However if the admin user browsed to /api and the browser then saves the creds, then it would be trivial to implement a XSRF style attack on the API. Instead, it's better to secure a REST API with a token. As it's a feature that's probably not widely used, it would be better to disable it by default IMO. Thoughts? Colm.
