Could you not solve this with your Path based access rules?
I tried the URL but I get a 404 on these paths.
Bumping this back up because this is an issue for me as well.
Hi. I'm the customer who has brought up this issue with Capgemini.
I think it is worth pointing out that in Mendix 6.9.1 the file metamodel.json was not included in the .mda. At least for our application. So why is it included now? It here a way to not requiring it to be included? If not, then we'll need to restrict access.
I'd also like to know if anybody has an answer to this, or a suggestion on how to restrict this file from being shown.
In an audit by a specialist in application security, this situation came up as a potential (albeit low risk) security issue.
It is not a direct risk, but can increase the chance of success of other attacks with this specific kind of information.
Working with Path Based Access Restrictions is not an option I think, because /login.html and /index.html need to be accessible, and they are at the same level as /metamodel.json.