Can you block json feedback from being public? (e.g /site/statistics.json /site/basic-info.json)

(David Foster) #1

Just wondering if there is an option I’m not seeing for this…
its made public that any user can visit your discourse instance and goto site/basic-info.json, site/statistics.json
and gather information…
I know its not terribly sensitive information, but still would like the option to avoid any data being freely observed.
I see in the rails site_controller.rb
skip_before_action :redirect_to_login_if_required, only: [‘basic_info’, ‘statistics’]

I know I can just comment that out to resolve the issue, but it would be better if there was an option in the admin portal that would do this. Is there a setting I’m not seeing in the admin portal?

(Nathaniel Suchy) #2

The json output is needed for the script to work, HOWEVER if you are worried about scrapers you could put your site behind Cloudflare and enable their “checking your browser” screen which would prevent bots from scraping/abusing the information. If you have privacy concerns with Cloudflare send me a private message and I can refer you to other providers (with extremely strict privacy policies) with a browser check (I don’t want to spam a list here).

(David Foster) #3

Thanks for the response, what script is needing these actions to work?

(Felix Freiberger) #4

Discourse (the web application) needs this information, e.g. to render the header and the /about page.

(Nathaniel Suchy) #5

Discourse needs the info to work, there’s no way to block it entirely, you could use a browser check to block bots but many bots can run javascript so that solution might not last long either.


@David_Foster To prevent statistics.json from being publicly visible, turn off share anonymized statistics (Admin->Settings->Other)

Note that the information is also on the About page so you may want to override the about.hbs template.

(Nathaniel Suchy) #7

Would that also block basic-info.json?

(David Foster) #8

thanks for that! all good now!
no more json data available to the public.