Domain dev-jobba-api.ingka.dev
United States
-
Swagger API description is publicly available
Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
First seen 2025-12-08 19:38
Last seen 2026-01-09 04:20
Open for 31 days-
Severity: info
Fingerprint: 5733ddf49ff49cd17bbffd86296b887a737510918324382bc8432bcb708a684cPublic Swagger UI/API detected at path: /swagger/swagger-ui.html - sample paths: DELETE /admin/locations/maps/{mapid} DELETE /admin/locations/{locationid}/close/{closingid} DELETE /admin/locations/{locationid}/externals/{externalpermissionid} DELETE /admin/locations/{locationid}/maps/{groupid} DELETE /admin/lunch/{locationid}/image/{imageurl} DELETE /admin/lunch/{locationid}/room/{roomid} DELETE /admin/lunch/{locationid}/room/{roomid}/close/{closingid} DELETE /admin/lunch/{locationid}/room/{roomid}/item/{itemid} DELETE /admin/lunch/{locationid}/room/{roomid}/slot/{slotid} DELETE /admin/scheduledcapacities/ DELETE /admin/sitta/{locationid}/image/{imageurl} DELETE /admin/sitta/{locationid}/item/{itemid} DELETE /admin/teams/{locationid}/quota/{managerusername} DELETE /faqadmin/question/{questionid} DELETE /global/{locationid}/guestbooking/{bookingid} DELETE /lunch/{locationid}/room/{roomid}/booking/{bookingid} DELETE /superadmin/delegate/singleuser/{manager}/{username} DELETE /superadmin/delegate/userdelegate/{manager}/{username} DELETE /superadmin/lunch/image/{imageurl} DELETE /superadmin/notifications/{id} DELETE /teams/{locationid}/booking/{bookingid} DELETE /userdelegate/{locationid}/booking/{bookingid} DELETE superadmin/releasenotes/{id} GET /admin/guestbookings/{locationid}/get GET /admin/locations/{locationid} GET /admin/locations/{locationid}/admins GET /admin/locations/{locationid}/close GET /admin/locations/{locationid}/externals GET /admin/locations/{locationid}/maps GET /admin/lunch/images/global GET /admin/lunch/{locationid}/images GET /admin/lunch/{locationid}/room/{roomid}/booking/{bookingid} GET /admin/lunch/{locationid}/room/{roomid}/bookings GET /admin/lunch/{locationid}/room/{roomid}/close GET /admin/lunch/{locationid}/room/{roomid}/slots GET /admin/lunchstatistics/bookingsperweekday/{locationid}/{roomid} GET /admin/lunchstatistics/bookingtypes/{locationid}/{roomid} GET /admin/lunchstatistics/foodordersperday/{locationid}/{roomid} GET /admin/lunchstatistics/foodordersperslot/{locationid}/{roomid} GET /admin/scheduledcapacities/{locationid} GET /admin/sitta/{locationid}/images GET /admin/sitta/{locationid}/items GET /admin/statistics/{locationid}/lunchroom/{roomid}/bookingsperweekday GET /admin/statistics/{locationid}/lunchroom/{roomid}/bookingtypes GET /admin/statistics/{locationid}/lunchroom/{roomid}/foodordersperday GET /admin/statistics/{locationid}/lunchroom/{roomid}/foodordersperslot GET /admin/statistics/{locationid}/overviewbookings GET /admin/statistics/{locationid}/sitecapacityusage GET /admin/statistics/{locationid}/sitecapacityusageperweekday GET /admin/statistics/{locationid}/transportationdistribution GET /admin/statistics/{locationid}/transportationdistributionperweekday GET /admin/statistics/{locationid}/workerdistribution GET /admin/teams/{locationid}/quotas GET /admin/{locationid}/bookings GET /admin/{locationid}/bookings/export GET /global/bookings GET /global/bookings/{username} GET /global/bookings/{username}/dateset GET /global/bookings/{username}/today GET /global/country/settings/{country} GET /global/faq/questions GET /global/favorites/myfavorites GET /global/favorites/myfavoritesbookings GET /global/favorites/myfavoritesbookings/basic GET /global/favorites/suggestions GET /global/locations/all GET /global/locations/capacitypercentage/{locationid} GET /global/locations/{locationid}/maps GET /global/mydata GET /global/myguestbookings GET /global/myteam GET /global/notifications/ GET /global/roomlookup/allrooms/{roomsandchatboxes} GET /global/rooms/cachedroomstimestamp/{ikealocation} GET /global/sitta/{locationid}/items GET /global/team/bookings GET /global/userdata/{username} GET /global/userdata/{username}/settings GET /global/userexists/{username} GET /global/userlookup/favorites/{search} GET /global/userlookup/{search} GET /global/userpictures/ GET /global/userpictures/onlocation GET /global/{locationid}/close GET /global/{locationid}/seats GET /lunch/allmenus GET /lunch/{locationid}/room/{roomid} GET /lunch/{locationid}/room/{roomid}/items GET /lunch/{locationid}/rooms GET /lunch/{username}/bookings/ GET /superadmin/administration/admins/ GET /superadmin/delegate/manager/{username} GET /superadmin/delegate/managers/{managerusername} GET /superadmin/delegate/users/{managerusername} GET /superadmin/notifications/ GET /superadmin/vakta/global-exceptions GET /teams/bookings GET /teams/locations GET /teams/sitta/{locationid}/items GET /userdelegate/mylocations GET global/releasenotes/ PATCH /admin/locations/{locationid}/maps/{groupid}/children PATCH /admin/locations/{locationid}/patch PATCH /global/userdata/{username}/lastseenfeedbackdialogdate POST /admin/locations/{locationid}/admin/{username} POST /admin/lunch/slots/{locationid}/{roomid} POST /admin/lunch/{locationid}/room POST /admin/lunch/{locationid}/room/{roomid}/item POST /admin/lunch/{locationid}/room/{roomid}/slot POST /admin/sitta/{locationid}/item POST /faqadmin/question POST /global/bookings/gatestatus/{locationid} POST /global/favorites/{username} POST /global/userfeedback POST /global/{locationid}/guestbooking POST /lunch/{locationid}/room/{roomid}/booking POST /superadmin/country/settings POST /superadmin/delegate/managers POST /superadmin/delegate/singleuser POST /superadmin/delegate/userdelegate POST /superadmin/location POST /superadmin/lunch/images/global POST /superadmin/notifications POST /teams/delegate/managers POST /teams/delegate/users POST /teams/{locationid}/booking POST /userdelegate/{locationid}/booking POST superadmin/releasenotes/ PUT /admin/guestbookings/{locationid}/guestbooking/{bookingid} PUT /admin/guestbookings/{locationid}/guestbooking/{bookingid}/comment PUT /admin/locations PUT /admin/lunch/{locationid}/room/{roomid}/booking PUT /admin/teams/{locationid}/quota PUT /global/faq/question/{questionid}/view PUT /lunch/deactivatearrived/{bookingid} PUT /lunch/markarrived/{bookingid} PUT /superadmin/administration/admins/{locationId}Found on 2026-01-09 04:20
-
-
Open service 172.217.208.121:443 · dev-jobba-api.ingka.dev
2026-01-09 04:20
HTTP/1.1 401 Unauthorized content-security-policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests x-dns-prefetch-control: off expect-ct: max-age=0 x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 access-control-allow-origin: * www-authenticate: token is not found x-cloud-trace-context: 3188fac30623f4d5f6c307bc45cccb6e date: Fri, 09 Jan 2026 04:20:15 GMT content-type: text/html server: Google Frontend Content-Length: 12 Connection: close Unauthorized
Found 2026-01-09 by HttpPluginCreate report
-
Open service 172.217.208.121:443 · dev-jobba-api.ingka.dev
2026-01-02 11:12
HTTP/1.1 401 Unauthorized content-security-policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests x-dns-prefetch-control: off expect-ct: max-age=0 x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 access-control-allow-origin: * www-authenticate: token is not found x-cloud-trace-context: 3eec91966939912ec1f5cd3c0d7ac543 date: Fri, 02 Jan 2026 11:12:04 GMT content-type: text/html server: Google Frontend Content-Length: 12 Connection: close Unauthorized
Found 2026-01-02 by HttpPluginCreate report
-
Open service 172.217.208.121:443 · dev-jobba-api.ingka.dev
2025-12-23 02:28
HTTP/1.1 401 Unauthorized content-security-policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests x-dns-prefetch-control: off expect-ct: max-age=0 x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 access-control-allow-origin: * www-authenticate: token is not found x-cloud-trace-context: 0558bbb2b604cf67f428614f88454890 date: Tue, 23 Dec 2025 02:28:14 GMT content-type: text/html server: Google Frontend Content-Length: 12 Connection: close Unauthorized
Found 2025-12-23 by HttpPluginCreate report
-
Open service 172.217.208.121:443 · dev-jobba-api.ingka.dev
2025-12-20 21:28
HTTP/1.1 401 Unauthorized content-security-policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests x-dns-prefetch-control: off expect-ct: max-age=0 x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 access-control-allow-origin: * www-authenticate: token is not found x-cloud-trace-context: 6ccf96c740d2fa35b334ce3e5f1ee1d6 date: Sat, 20 Dec 2025 21:29:09 GMT content-type: text/html server: Google Frontend Content-Length: 12 Connection: close Unauthorized
Found 2025-12-20 by HttpPluginCreate report