Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
By default, when enabling JSON:API Extras and Varbase API recipe, all resource types are available for public API access unless explicitly disabled or restricted.
This can unintentionally expose entity data - such as user profiles, configuration entities, and unpublished content - when the API module is enabled without prior configuration.
To enhance security, privacy, and compliance, Varbase should ship with a safer default configuration for JSON:API resources - disabling all unspecified resources by default. This allows developers to explicitly enable only what they need.
Proposed resolution
- Enhance the Varbase API recipe to use secure defaults that disable all resource types by default and require explicit activation.
- All JSON:API resources are disabled by default.
- Only explicitly enabled resources can be queried.
- The JSON:API configuration is validated for integrity and consistency.
- Reduces surface area for potential data exposure.
Remaining tasks
- ✅ File an issue about this project
- ✅ Addition/Change/Update/Fix to this project
- ✅ Testing to ensure no regression
- ➖ Automated unit/functional testing coverage
- ➖ Developer Documentation support on feature change/addition
- ➖ User Guide Documentation support on feature change/addition
- ➖ UX/UI designer responsibilities
- ➖ Accessibility and Readability
- ✅ Code review from 1 Varbase core team member
- ✅ Full testing and approval
- ✅ Credit contributors
- ✅ Review with the product owner
- ✅ Update Release Notes and Update Helper on new feature change/addition
- ✅ Release varbase-10.1.0-beta1, varbase_api-10.1.0-beta2, varbase-10.0.8, varbase_api-10.0.11, varbase-9.1.12, varbase_api-9.1.11
Varbase update type
- ✅ No Update
- ➖ Optional Update
- ➖ Forced Update
- ➖ Forced Update if Unchanged
User interface changes
- N/A
API changes
- N/A
Data model changes
- N/A
Release notes snippet
- [#3553624] fix(api): Improve Default JSON:API Resource Overrides to Limit Vulnerabilities in Varbase API
Comments
Comment #5
rajab natshahComment #6
rajab natshahComment #10
rajab natshahComment #11
rajab natshahComment #13
rajab natshah✅ Released varbase_api-10.1.0-beta2
Comment #14
rajab natshah✅ Released varbase_api-9.1.11
Comment #15
rajab natshah✅ Released varbase_api-10.0.11
Comment #16
rajab natshah✅ Released varbase-10.1.0-beta1
Comment #18
rajab natshah✅ Released varbase-10.0.8
Comment #19
rajab natshah✅ Released varbase-9.1.12