Why are drafts publicly accessible, and how to mitigate?

Puzzled as to why data at this endpoint are publicly accessible:


Are there best practices to limit this data from being publicly accessible? In other words, how can I have drafts but prohibit them from being publicly accessible?

Thank you!

This is what I have come up with so far:

if (ctx.query._publicationState === "preview" && ctx.req.user?.confirmed) {
  ctx.query._published_at_null = true;
} else if (ctx.query._publicationState === "preview") {
  ctx.query._published_at_null = false;
1 Like

best option is to create a policy: Backend customization - Strapi Developer Documentation

Generalize the policy enough and store it as a global one, then you can attach that to any route where you want the drafts private.

1 Like

Wow! That is awesome–works like a charm! Thanks so much!

1 Like