I just checked on one off my websites this:

If one knows the url of a server connect Action file stored in: /dmxConnect/api/..../****.php and opens the URL in the browser all data returned by that server action file is visible as json data in the browser.

For instance when you have a dynamic form, the action url of the Form point to a server connect file with the complete URL.

This is a very serious problem, unless perhaps I have missed something, but then please clarify how to prevent this from being possible.
Like to hear from you soon!

Hello Hans,
What exactly your action contains?

Hello Teodor,

Well, that doesn't really matter I think.
Of course most of the time with a dynamic form it will be a insert/update action, so NOT returning data. But that was only an example.

In the source code of every app connect page that contains server connect files the path to the server connect files is visible. People (hackers) can get a view/guess of how my api structure is set up. And with a little guessing they might (with trial and error) change the file name part in the server connect file URL and get data that is not meant for them to access.

the api files URL's should not be known at all I think.

Well it does matter... that is why i am asking ...

If you have some data that needs to be secured in the action you just need to add security restrict step at the top of action file, then nobody who's not logged in can see anything. Also - if you see what the server action returns you have enabled the "Output" options for some of the steps - that's why i am asking what your server action contains.

Thank you for replying Teodor.
Fair enough, that makes good sense.
I thought output was required to show the data where needed? For security I use a different system in CMS. But I will look into that option too.

No, output is not needed for what is posted on the page. It is required for debugging purposes.