Currently, EndpointRequest provides matchers only for the exposed endpoints. This causes endpoint security to behave differently based on whether the endpoint returns a 200 (when it’s exposure is true) or a 404 (when it’s not included in the exposed endpoints). Someone might want to secure the endpoint regardless of whether it returns a 200 or 404
Comment From: mbhave
This might make #12240 unnecessary.
Comment From: wilkinsona
Given that this is labelled as enhancement, I don't think it should be tackled in 2.2.x. Moving to 2.x.