Why is this an issue?
REST API Resources has some types of methods, including those that make data changes directly:
- HTTP Method POST
- HTTP Method DELETE
- HTTP Method PATCH
For these cases, when the Requires authentication checkbox is not selected, it means that any user who has credentials in the instance will be able to make data changes to it, which represents a security risk.
On the other hand, Requires ACL authorization provides extra security with an ACL that ensures that not every user is able to perform these actions by a REST APIs.
Best practices
Select checkboxes Requires authentication and Requires ACL authorization in all records that have POST/DELETE/PATCH HTTP methods.