Omeka S provides an API as a standard feature, allowing resource retrieval from URLs such as the following:
https://dev.omeka.org/omeka-s-sandbox/api/items
While this is a convenient feature, there may be cases where you do not want to expose the API. In such cases, you can restrict access by adding the following lines to the .htaccess file located directly under the directory where Omeka S is set up.
RewriteCond %{REQUEST_URI} ^.*/api
RewriteRule ^(.*)$ – [F,L]
Specifically, it would look like this:
SetEnv APPLICATION_ENV "production"
# SetEnv APPLICATION_ENV "development"
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*/api
RewriteRule ^(.*)$ – [F,L]
# The following rule tells Apache that if the requested filename
# exists, simply serve it.
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule !\.(php[0-9]?|phtml|phps)$ - [NC,C]
RewriteRule !(?:^|/)\.(?!well-known(?:/.*)?$) - [C]
RewriteRule .* - [L]
...
I hope this serves as a useful reference for access restrictions in Omeka S.