Public configuration endpoints
Security audits may flag some Bloomreach endpoints as vulnerable, but these are public by design. They only hold frontend setup data and don't expose any sensitive information.
This article explains what these endpoints are, what they contain, and why they're open by design.
What these endpoints are
Public endpoints send setup data to the app frontend when it loads. This data must be available before login — including on the login page itself — so the endpoints can't be locked behind authentication. Only the following endpoints are public:
/api/config/api/globals.json
Before login, the app needs to show the CAPTCHA challenge, start the JavaScript SDK for tracking, and load branding and feature settings.
All data in these endpoints has been reviewed by the Bloomreach Product Security team and classified as public. It includes:
| Field | Description |
|---|---|
apiVersion | The application version string. The frontend uses this for logging and debugging. Exposing the version number poses no security risk. |
captcha_site_key | The public key used to initialize the CAPTCHA widget. This key is designed to be public and visible in the browser. |
csrf_token | A random, one-time-use value generated for each user session. It protects against cross-site request forgery attacks — it's a security measure, not a secret credential. |
features | A list of features enabled on your instance. The frontend uses this during initialization to show the right UI. |
globalIPs | The IP addresses of Bloomreach load balancers. These are public Google load balancer IPs that Google also publishes openly. |
googleAdWordsId | The public key used to initialize the Google AdWords integration. |
googlePickerAppId | The public identifier used to initialize the Google File Picker widget. |
passwordRules | The minimum password requirements for your instance, such as character count and allowed character types. The frontend shows these in real time during registration. |
sentryFrontendDsn | The URL where the frontend logs exceptions for debugging purposes. |
tracking token | The public identifier used to initialize Bloomreach's internal telemetry. |
zendeskIntegrationId | The public identifier used to initialize the Zendesk widget. |
zendeskWidgetKey | The public key used to initialize the Zendesk widget. |
Security review is an integral part of the endpoint code review process — every change is evaluated for what can and cannot be safely exposed before it reaches production.
Common security audit findings
The following endpoints may be flagged as potential vulnerabilities. Below, each finding explains why this is expected behavior rather than a security risk.
Finding: Unauthenticated access to /api/config or /api/globals.json
- These endpoints are open on purpose. They hold setup data that must load before login. No secrets are exposed.
Finding: "Token" or "key" values exposed in API response
- The tokens and keys in the response are public IDs, not private credentials. They can't be used to gain access to your instance or data.
Finding: Configuration data accessible without login
- This is expected behavior. The app needs this data to show the login page and load the frontend. Blocking these endpoints would break the app.
These endpoints don't hold any secret data as they don't contain:
- Private API keys or secret tokens.
- Customer data or personally identifiable information (PII).
- Database credentials or connection strings.
- Authentication tokens or session data.
Quick-reference summary
| Question | Answer |
|---|---|
| Are these endpoints intentionally public? | Yes — they are open by design. |
| Do they contain private keys or secrets? | No — all values are public setup data. |
| Can these values be used for unauthorized access? | No — they are public IDs, not credentials. |
| Is this a security vulnerability? | No — reviewed and confirmed by Product Security. |
| Why can't authentication be added? | The app needs this data before login to initialize. |
Updated about 2 hours ago