Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By wim leers on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.x-2.x
Introduced in version:
8.x-2.4
Issue links:
Description:
Past security vulnerabilities that affect JSON:API tend to have their root cause in Entity API, Field API and Typed Data API's handling for writes: in access control handlers, validation constraints or deserialization. Hence they tend to apply only to POST, PATCH and DELETE requests.
Until now, JSON:API has allowed those requests by default.
But most decoupled Drupal deployments actually only use JSON:API (or other APIs) for reads.
Hence a good way to mitigate potential future vulnerabilities is clear: add a "read-only" mode that defaults to "on". This only allows read operations (GET requests). Existing JSON:API installations will automatically get it set to "off", to ensure they are not disrupted.
In case of a future security vulnerability, the Drupal Security Team will now be able to recommend to turn on read-only mode as a temporary mitigation, to buy more time, while you patch your site to fix the root cause of the vulnerability.
In the UI
It's accessible via the same UI where other web services are configured:
And then you can configure it:
Impacts:
Site builders, administrators, editors
Module developers
Site templates, recipes and distribution developers
