I will ask the engineer who is looking after your PMR to discuss further with the security team, however I don't believe this is a security issue.
You can disable the URL with a redirection rule.
Steps.
1. Open Server document in admin client (Basics Tab).
2. Set "Load Internet configurations from Server\Internet Sites documents:" to "Enabled". Save and close server document.
3. Select "Web\Internet Sites" in Admin client on configuration tab.
4. Click Add Internet Site.
5. Enter in Following.
- Descriptive Name
- Organisation
- Use this web site to handle requests which cannot be mapped to any other web sites = NO.
- Host names or addresses mapped to this site = Enter in your hostname, eg. testserver.local.lan
- Domino servers that host this site = *
6. Save and close the document. Reopen the document and select "Web Site ..." and then create rule.
7. Enter the following.
- Description
- Type of rule = Redirection
- incoming URL pattern = /api/data
- Target server directory = where you want them to go to (eg. / )
- Access level = Read.
8. Save and close, restart HTTP service.
- tell http quit
- load http
Now that URL will not return all the databases.
Feedback response number WEBB8TYQFS created by Simon O'Doherty on 05/04/2012
Not a security issue. 
Return to top
. . Not a security issue. (Simon O'Doherty... 4.May.12) 
