Me acabo de quedar de piedra al leer esto DAS (Domino Access Service) Precisamente estaba como loco trabajando en este tema, porque me parece el gran avance sobre todo para aplicaciones móviles y demas.
en fin tengo que hacer mas pruebas pero me han dejado blanco.
For your information:
If you are using (or plan to use) DAS (Domino Access Service) to provide REST access to Domino data, you should be aware of a security issue. There is a URL (see DAS docs) http(s)://<host>/api/data which is suggested (by the docs) to be tried as the first test after enabling DAS.
This URL is accessible without authentication (unless anonymous access to the web site is completely disabled globally) and there is no way to restrict access to it.
And this URL returns a XML formatted list of ALL databases on the server (whether they are DAS enabled or not!) including their path name, title, template name and replica ID. This data will usually disclose a lot of information (and I think too much) which can point attackers to worthwhile targets.
I have opened a PMR but I have the impression that I am not taken really seriously. I am told "Domino is working as designed". And that what I claim is a security issue in fact is only a "request for enhancement".
However, a SPR (#RGAU8TYHMG) has been created. Should you feel that this issue does not let you sleep well with a DAS-enabled server facing the internet, you may want to open a PMR as well and refer to the above SPR number to indicate that you also want that to be changed.