I want to provide a third-party dependency package for a Spring Boot starter. This package includes static resources and Java code related to the Spring Boot starter. My concern is that the static resources are being accessed through a REST API that I defined within the Spring Boot starter. I feel that this approach is not secure because the API I defined may not necessarily meet the requirements of the users, even though it's only used for accessing static resources. I also believe that exposing a REST API might not be very secure. So, what should I do to follow best practices when providing this third-party package?
I have attempted to restrict these APIs to local access only. I have considered obtaining the user-configured API path during auto-configuration. However, I have been unable to pass the API path to the frontend resources, which are static assets bundled after React packaging. I have also explored the option of modifying the bundled index.html file during runtime but encountered difficulties in passing the API path. My goal is to ensure the security of the API, and if the API I've named does not meet the requirements, I would like to provide the flexibility to customize the API path through a configuration file as much as possible.