How to disable default REST API endpoints and GraphQL for custom endpoint implementation

[only-issues]

Hi PayloadCMS team and community,

I'm looking for guidance on how to completely disable the default REST API endpoints (/api/{collection-slug}) and GraphQL endpoints to implement custom API endpoints instead.

Background & Problem

I've encountered a significant performance and security concern with the default API behavior. When testing the endpoint /api/{collection-slug}?limit=9999999, the API processes this request without proper validation or limits, which poses several risks:

1. Performance Issues: With millions of records in the database, large limit values can cause severe performance degradation
2. Security Vulnerability: Malicious users could spam requests with extremely high limit values, potentially causing DoS attacks
3. Resource Exhaustion: Uncontrolled data fetching can overwhelm server resources and database connections

What I'm Looking For

I need to:

• Completely disable/block access to default REST endpoints (/api/{collection-slug})
• Disable GraphQL endpoints
• Implement custom endpoints with proper validation, rate limiting, and controlled data access
• Maintain full control over API responses and query limits

Questions

1. Is there a built-in way to disable these default endpoints in PayloadCMS configuration?
2. Can we override or intercept these routes before they reach the default handlers?
3. What's the recommended approach for implementing custom API endpoints while maintaining PayloadCMS's authentication and admin functionality?
4. Are there any configuration options to set global maximum limits for queries that I might have missed?

Current Workaround Attempts

I've tried looking for limit configuration options but couldn't find a way to set reasonable defaults or maximum limits for the REST API endpoints.

Any guidance on best practices for securing PayloadCMS APIs while maintaining custom endpoint flexibility would be greatly appreciated.

Thank you!

[rilrom]

Could you possibly use the beforeOperation hook and adjust the req.query.limit value if it goes above a certain number?