To increase the protection of customers sites, starting with our next release (scheduled to go live 24th of August), we are going to enforce the restrictions to access the Business Catalyst apps admin folders. These restrictions will make the app admin folders available to:
- Logged in admin users with appropriate permissions, regardless of the domain they try to load those resources
- The BC app runtime will be able to access files through the app domain with a valid access token (as they do today)
Unauthenticated users as well as front-end users (secure zone logins) will not be able to access files in app admin folders. The system will return a 401 (unauthorized) error code.
If your app admin folders does include files that need to be available to general public in the site front-end it recommended to place them in another folder inside the site, outside of _System/Apps. For more information, read the Building a Business Catalyst app getting started guide.
Alternatively, for every Business Catalyst app, we are going to white like a "public" folder inside the app root folder. All you need to do, is to create a folder named "public" in your app root folder, and place the static resources accessed from site's front-end in there.
Thank you,
The Adobe Business Catalyst team