Normally, the HTTP API is fully exposed to the public Internet. This gives anyone on the internet the ability to use data from your digital collections in their own applications, mashups, etc. This might seem cause for alarm, but in reality, everyone on the Internet has already had this ability, either by harvesting your OAI-PMH content, or by screen-scraping your templates. Little, if any, information that was previously private is made public by the dmBridge HTTP API; it has just been made more convenient to access programmatically.
Present in the output of every HTTP API method is a copyright statement asserting your institution's copyright on the information being downloaded. This allows for widespread use of your content while protecting your legal rights. The copyright statement can be changed in the Feeds section of the Control Panel.
Still, some users might wish to restrict their HTTP API, for whatever reason. There is no built-in provision for access controls built into the HTTP API component itself. We recommend that you use the access control features built into your web server (Apache/IIS) to restrict access to your dmapi folder based on IP address. If you are using the templating engine on the same server as the HTTP API, it would be safe to block all hosts except for localhost.