New Magento 2.0.3 security release coming soon. The Magento Team releases new product that resolve some security issues encountered by merchants. The Magento 2.0.3 is available for both Magento Enterprise Edition and Community Edition, and contains several security improvements.
Magento 2 now prevents anonymous users from accessing.
Release prevents unauthorized access to web APIs. Magento 2 allows some web APIs to be accessed by anonymous users. It allow to customer to have shopping experience on the store without having to use a password.
But most merchants are interested in taking steps to prevent others from accessing their store. Protecting your information can help reduce your risk of identity theft. New release prevents unauthorized access to some web APIs by default so that private information about the store (pricing, stock details, upcoming promotions) are not disclosed without authentication. By default, Magento 2 now prevents anonymous users from accessing.
This change could cause third-party plugins to fail, so merchants can still configure their APIs to support anonymous access if it is required.
- Limits for Token Access API password attempts. Admin and Customer Token Access API password attempts limited to help prevent brute force efforts to guess passwords.
- Fixes multiple parameters in the Authorize.net payment module that were vulnerable to reflected Cross Site Scripting attacks (XSS).
More info: Restricting Access to Anonymous Web APIs at Magento.com.
Magento 2.0.3 also includes the efficiency improvements and functional enhancements to the Orders API, Google Tag Manager, permissions.