When working with MEX, apps should watch out not to reveal any sensitive details. As being a mitigation, if the character of the info being uncovered as a result of MEX is sensitive, applications may well decide to configure the MEX endpoint using a protected binding requiring authentication on the http://xy3.pl/