Hello NopCommerce Team,
We recently figured out that anyone can execute scheduled tasks from a POST method without any authentication using URL similar to what we provided below:
https://yourStoreUrl.com/scheduletask/runtask?taskType=Nop.Services.Caching.ClearCacheTask, Nop.Services
This is a security risk. In some websites, to get more performance we generally enable setting where we cache things on site start and then we increase cache clear scheduled task timeout but with this open URL, anyone can hit this to reduce website performance.
Also, there are other scheduled tasks that can be called same way which is not good at all.
Any improvements that you are going to make into this in upcoming versions or you suggest us to make changes in existing websites?
Best regards,
Atul