You should be able to configure that in Microsoft IIS in the Reverse Proxy Inbound Rules:

https://docs.mendix.com/developerportal/deploy/deploy-mendix-on-microsoft-windows/#55-configuring-the-url-rewrite

If you remove the ^(rest-doc/)(.*) pattern, I would expect you secured access to that endpoint.

Hello,

Under environment details section of your cloud node, you can restrict the access.

Refer this for more details : 

https://docs.mendix.com/howto9/security/best-practices-security/#request-handlers

I was actually wondering the same thing, if it is possible to disable the ‘/rest-doc' access for our customers who run our application on-premises. Since the answer above is only applicable for the Mendix cloud environments, and if a customer is hosting our application on-premises, then they can just change the access restrictions.