When a user does not have access to a rest service he should also not be able to see the documentation of this rest service.
My rest services are now exposed to the public but all my rest services are role protected.
If I disable the path to rest-doc the users that are allowed to use the service cannot see the documentation.
Arguments for this idea from the Mendix doc itself:
Examples are the ws-doc or rest-doc endpoints that enumerate all the published web and REST services of the application. An attacker could use this information to discover possible areas to exploit. (https://docs.mendix.com/howto/security/best-practices-security#4-apply-access-restrictions-to-unnecessary-request-handlers)
A solution would be to make this /rest-doc/ and /ws-doc/ part of the Mendix application as a page. give the page the url-property rest-doc respectively ws-doc ad a standard access-rule or role or whatever.
Also interesting to note is that by default, access to /ws-doc/ is blocked while access to /rest-doc/ is allowed by default. At least this is the case in my very recently created brand new cloud node.