Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
Severity: info
Fingerprint: 5733ddf49ff49cd1aad03549f28cbbbbd92336690e5f5b7cf01d900bc1651aa4
Public Swagger UI/API detected at path: /swagger/index.html - sample paths:
GET /api/Compliance/summary
GET /api/Compliance/users/requiring-review
GET /api/Compliance/users/{userId}
GET /api/Diagnostic/environment
GET /api/companies
GET /api/companies/{id}
GET /api/licenses
GET /api/licenses/types
GET /api/licenses/user/{userId}
GET /api/rewards/types
GET /api/rewards/types/company/{companyId}
GET /api/rewards/types/{id}
GET /api/roles
GET /api/roles/permissions
GET /api/roles/{id}
GET /api/users/admins
GET /api/users/customers
GET /api/users/me
GET /api/users/with-license-counts
GET /api/users/{id}
GET /email-templates
GET /email-templates/{id}
PATCH /api/Auth/login/verify
PATCH /api/Auth/register/resend
PATCH /api/Auth/register/verify
POST /api/Auth/forgot-password
POST /api/Auth/forgot-password/validate-code
POST /api/Auth/login
POST /api/Auth/logout
POST /api/Auth/refresh
POST /api/Auth/register
POST /api/Compliance/sync
POST /api/Compliance/users/{userId}/clear
POST /api/Compliance/users/{userId}/reject
POST /api/support/submit
POST /api/users
POST /email-templates/{id}/send