Client API exposes json payload with all API endpoints in public

Hi! I am new to OpenZiti and deployed a fully self hosted environment consisting of a controller with an edge router (public) on VM A in DMZ A paired wit a second edge router (private) on VM B in DMZ B. The application server ist reachable via private edge router. Everything works absolutely fine! iOS Client connects to controller and edge router (public) and traffic is released on edge router (private). Perfect...

Now my sense for extreme security kicks in, which is why I already splatted API access and control plane to different IPs and Ports.

Management API is only internally reachable (Port 1281). ZAC is on a whole different Port (8443) and only reachable from internal with Client Certificate (no password auth possible).

Client API is available in on public IP with Port 1280 (binding edge-client and edge-idc). Controller listens to 1280 on public IP.

If I do connect to https://:1280 from external, I will get presented a full list of all api endpoints as a json payload.
Browser asks for Client Certificate to select first, but if I click cancel on that, I will get presented the endpoints list without auth.
Is this a normal behavior or have I forgot something?
Would it be possible to deny all requests without correct client certificate? The specific endpoints or api calls won't work without certificate (NOT_AUTHENTICATED), but I would like to have NO response without a certificate. I don't like someone fiddling around with the API.

Hi @zypresse-lack-8z, welcome to the community and to OpenZiti!

At this time the client API exposes the version endpoint so the clients can make decisions about the network its connecting to before authenticating. It's one of the very few endpoints that is actually public. There's no way at this time to make the client api deny inbound requests without certificate. It's something we have considered enabling in the future but it's not on the roadmap just yet. We do talk about it now-and-then though so my bet is that it'll happen at some point, just not sure when.

I take the stance that security through obscurity is not viable security, at best it slows an attacker down. Defense in depth is a much better approach which is where all the other security features of OpenZiti come into play.

Thanks for your explanation. Is there a list of those "actually public" endpoints or is it easier to click through the api documentation?