So, contentapi has an awesome management system builtin, but you can't access it. That alone could give you access to so much junk, such as the admin logs and content restoration and the whole dang thing. But it's difficult to expose it because it's not like it's restricted. Perhaps there could be a setting in contentapi that only allows super users to access the endpoint, and then you just expose it as normal through nginx? Another option is to hide it behind header authentication like .htaccess or whatever the equivalent is in nginx.
So, contentapi has an awesome management system builtin, but you can't access it. That alone could give you access to so much junk, such as the admin logs and content restoration and the whole dang thing. But it's difficult to expose it because it's not like it's restricted. Perhaps there could be a setting in contentapi that only allows super users to access the endpoint, and then you just expose it as normal through nginx? Another option is to hide it behind header authentication like .htaccess or whatever the equivalent is in nginx.