# Redirect endpoints that should not be public

### User Story:

&#x20;As an anonymous user, I do not want to be able to access insecure Drupal related endpoints so I can not see sensitive information.

### Acceptance Criteria:&#x20;

(i) **Scenario 1: Redirect endpoints**\
Given that I have access past the firewall When I go to the below mentioned urls Then I will be redirected to /system/403

* /rss.xml
* /node
* /taxonomy/term/%/feed
* /taxonomy/term/%
* /rest/session/token
* /session/token
* /machine\_name/transliterate
* /filter/tips/plain\_text
* /filter/tips

### Implementation Details

**For /rss.xml, /node, /taxonomy/term/%/feed, and /taxonomy/term/%**\
() unpublish the front page view - update views.view\.frontpage configuration\
() unpublish taxonomy Taxonomy term view - update configuration

**For - /rest/session/token, /session/token, /machine\_name/transliterate, /filter/tips/plain\_text, /filter/tips** \
() Create a custom module: CUSTOM\_MOUDLE\_security. \
() Find the route name or use paths. Either search code base or locally enable the web profiler module. Use the web profiler dev toolbar to find route name.

() Programmatically redirect the above mentioned urls to the 403 page. () Register the Event Subscriber by creating a CUSTOM\_MODULE\_security.services.yml file&#x20;

`services: CUSTOM_MODULE_security.subscriber:` \
&#x20;   `class: Drupal\CUSTOM_MODULE\EventSubscriber\CUSTOMMODULESecuritySubscriber` \
&#x20;   `tags:`\
&#x20;     `- { name: event_subscriber }`

() Create redirects in CUSTOM\_MODULE\_security module by using the EventSubscriber () Check if the user role is anonymous \
`if (\Drupal::currentUser()->isAnonymous())`&#x20;

() loop through each Route Name and set the new response \
`$response = new RedirectResponse('/403', 301); $event->setResponse($response);`&#x20;

***behat tests*** \
() Write a behat test to confirm all urls redirect to the 403 page.

### Testing Steps

As an anonymous user, when visiting the below mentioned URLS then they will redirect to /system/403

* /rss.xml
* /node
* /taxonomy/term/%/feed (% is placeholder to taxonomy id)
* /taxonomy/term/%
* /rest/session/token
* /session/token
* /machine\_name/transliterate
* /filter/tips/plain\_text
* /filter/tips
* rest/session/token( only if REST module is enabled.)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://allierays.gitbook.io/drupal-project-resources/jira-ticket-templates/redirect-endpoints-that-should-not-be-public.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.