### Impact
This bug affects Datasette instances running a Datasette 1.0 alpha – 1.0a0, 1.0a1, 1.0a2 or 1.0a3 – in an online accessible location but with authentication enabled using a plugin such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords).
The `/-/api` API explorer endpoint could reveal the names of both databases and tables – but not their contents – to an unauthenticated user.
### Patches
Datasette 1.0a4 has a fix for this issue.
### Workarounds
To work around this issue, block all traffic to the `/-/api` endpoint. This can be done with a proxy such as Apache or NGINX, or by installing the [datasette-block](https://datasette.io/plugins/datasette-block) plugin and adding the following configuration to your `metadata.json` or `metadata.yml` file:
“`json
{
“plugins”: {
“datasette-block”: {
“prefixes”: [“/-/api”]
}
}
}
“`
This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy.Read More