Generate jHipster standalone server app without security

My understanding is that it is not possible to generate a jHipster app without any security, as is also mentioned here.

I generated a server app (using version 4.9.0) using the following command by selecting the default JWT security: jhipster –skip-client –with-entities –skip-user-management

However, upon running above app, I can call my GET api’s directly (from a rest client such as postman or even directly from the browser), without providing any Authorization header (aka the JWT token). Essentially, security is disabled.

Could this be a bug? What am I missing here? Can someone please shed some light on what’s going on?