Configurable attack surface reduction

[jumpinjackie]

For attack surface reduction config.php should define whether certain routes are enabled/disabled.

[jumpinjackie]

At a minimum (before 1.0 final is released) we should implement the following controls.

A configurable property to determine if repository browsing services are accessible.

A associative array of restcfg.json style directives for Feature Sources. If this property is present, a Feature Source access "whitelist" is in effect.

• Attempts to access any feature source not in this whitelist results in http 403 (forbidden)
• Any queries are bound to the "shape" defined in the whitelisted feature source configuration. Feature queries are restricted to the properties specified in the list
• Attempts to access any representation not defined in the whitelisted feature source configuration results in http 403 (forbidden)
• Attempts to walk the schema in the whitelist feature source will be restricted to what specified. If not defined, the full schema is accessible