Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
Severity: info
Fingerprint: 5733ddf49ff49cd1f3d88d60379a9dd97d082611a783f9ced69a0bda94ce39cc
Public Swagger UI/API detected at path: /swagger/v1/swagger.json - sample paths:
GET /api/data-set-files
GET /api/data-set-files/sitemap-items
GET /api/data-set-files/{dataSetFileId}
GET /api/data-set-files/{dataSetFileId}/download
GET /api/education-in-numbers
GET /api/education-in-numbers/nav
GET /api/education-in-numbers/pages/{slug}
GET /api/education-in-numbers/sitemap-items
GET /api/glossary-entries
GET /api/glossary-entries/{slug}
GET /api/methodologies/sitemap-items
GET /api/methodologies/{methodologyVersionId}/images/{fileId}
GET /api/methodologies/{slug}
GET /api/methodology-themes
GET /api/publication-tree
GET /api/publicationInfos
GET /api/publications/sitemap-items
GET /api/publications/{publicationId}/summary
GET /api/publications/{publicationSlug}
GET /api/publications/{publicationSlug}/methodologies
GET /api/publications/{publicationSlug}/release-entries
GET /api/publications/{publicationSlug}/releases
GET /api/publications/{publicationSlug}/releases/latest
GET /api/publications/{publicationSlug}/releases/latest/data-guidance
GET /api/publications/{publicationSlug}/releases/latest/prerelease-access-list
GET /api/publications/{publicationSlug}/releases/latest/searchable
GET /api/publications/{publicationSlug}/releases/latest/summary
GET /api/publications/{publicationSlug}/releases/{releaseSlug}
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/content
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/data-content
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/data-guidance
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/prerelease-access-list
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/related-information
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/summary
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/updates
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/version-summary
GET /api/publications/{publicationSlug}/title
GET /api/redirects
GET /api/releases/{releaseVersionId}/files
GET /api/releases/{releaseVersionId}/files/{fileId}
GET /api/releases/{releaseVersionId}/images/{fileId}
GET /api/themes
POST /api/feedback/page
POST /api/release-files
PUT /api/feedback/release-publishing
Severity: info
Fingerprint: 5733ddf49ff49cd1f3d88d60379a9dd97d082611a783f9ced69a0bda87072a12
Public Swagger UI/API detected at path: /swagger/v1/swagger.json - sample paths:
GET /api/data-set-files
GET /api/data-set-files/sitemap-items
GET /api/data-set-files/{dataSetFileId}
GET /api/data-set-files/{dataSetFileId}/download
GET /api/education-in-numbers
GET /api/education-in-numbers/nav
GET /api/education-in-numbers/pages/{slug}
GET /api/education-in-numbers/sitemap-items
GET /api/glossary-entries
GET /api/glossary-entries/{slug}
GET /api/methodologies/sitemap-items
GET /api/methodologies/{methodologyVersionId}/images/{fileId}
GET /api/methodologies/{slug}
GET /api/methodology-themes
GET /api/publication-tree
GET /api/publicationInfos
GET /api/publications/sitemap-items
GET /api/publications/{publicationId}/summary
GET /api/publications/{publicationSlug}
GET /api/publications/{publicationSlug}/methodologies
GET /api/publications/{publicationSlug}/release-entries
GET /api/publications/{publicationSlug}/releases
GET /api/publications/{publicationSlug}/releases/latest
GET /api/publications/{publicationSlug}/releases/latest/data-guidance
GET /api/publications/{publicationSlug}/releases/latest/prerelease-access-list
GET /api/publications/{publicationSlug}/releases/latest/searchable
GET /api/publications/{publicationSlug}/releases/latest/summary
GET /api/publications/{publicationSlug}/releases/{releaseSlug}
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/content
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/data-content
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/data-guidance
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/prerelease-access-list
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/related-information
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/summary
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/updates
GET /api/publications/{publicationSlug}/releases/{releaseSlug}/version-summary
GET /api/publications/{slug}/title
GET /api/redirects
GET /api/releases/{releaseVersionId}/files
GET /api/releases/{releaseVersionId}/files/{fileId}
GET /api/releases/{releaseVersionId}/images/{fileId}
GET /api/themes
POST /api/feedback/page
POST /api/release-files
PUT /api/feedback/release-publishing
Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
Severity: info
Fingerprint: 5733ddf49ff49cd1f3d88d60f81ae218a6f3a7b0afae09e41388eaf39239d4df
Public Swagger UI/API detected at path: /swagger/v1/swagger.json - sample paths:
GET /api/meta/subject/{subjectId}
GET /api/permalink/{permalinkId}
GET /api/publications/{publicationId}/featured-tables
GET /api/publications/{publicationId}/subjects
GET /api/release/{releaseVersionId}/meta/subject/{subjectId}
GET /api/releases/{releaseVersionId}/featured-tables
GET /api/releases/{releaseVersionId}/subjects
GET /api/tablebuilder/fast-track/{dataBlockParentId}
GET /api/tablebuilder/release/{releaseVersionId}/data-block/{dataBlockParentId}
GET /api/tablebuilder/release/{releaseVersionId}/data-block/{dataBlockParentId}/geojson
POST /api/meta/subject
POST /api/permalink
POST /api/permalink/analytics
POST /api/release/{releaseVersionId}/meta/subject
POST /api/tablebuilder
POST /api/tablebuilder/analytics
POST /api/tablebuilder/release/{releaseVersionId}
Open service 20.105.232.44:80 · dev.explore-education-statistics.service.gov.uk
2026-01-28 15:37
HTTP/1.1 301 Moved Permanently Content-Length: 0 Connection: close Date: Wed, 28 Jan 2026 15:37:19 GMT Location: https://dev.explore-education-statistics.service.gov.uk/
Open service 104.40.191.174:443 · content.dev.explore-education-statistics.service.gov.uk
2026-01-22 22:49
HTTP/1.1 302 Found Content-Length: 0 Connection: close Date: Thu, 22 Jan 2026 22:49:55 GMT Location: /docs Strict-Transport-Security: max-age=31536000; includeSubDomains Request-Context: appId=cid-v1:b6707abc-fa27-4f0d-859b-857805a0e8ee
Open service 20.105.232.44:443 · dev.explore-education-statistics.service.gov.uk
2026-01-05 11:05
HTTP/1.1 401 Unauthorized Content-Length: 0 Connection: close Content-Type: text/html; charset=utf-8 Date: Mon, 05 Jan 2026 11:05:45 GMT ETag: W/"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk" WWW-Authenticate: Basic Strict-Transport-Security: max-age=15552000; includeSubDomains x-ms-middleware-request-id: 00000000-0000-0000-0000-000000000000 request-context: appId=cid-v1: Content-Security-Policy: default-src 'self';script-src 'self' https://*.googletagmanager.com https://*.google-analytics.com/ https://*.analytics.google.com 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' https://content.dev.explore-education-statistics.service.gov.uk data: https://*.googletagmanager.com https://*.google-analytics.com/ https://*.analytics.google.com;font-src 'self';connect-src 'self' https://content.dev.explore-education-statistics.service.gov.uk/api/ https://data.dev.explore-education-statistics.service.gov.uk/api/ https://s101d01-fa-ees-notify.azurewebsites.net/api/ https://pp-api.education.gov.uk/statistics-dev/ https://s101d01-ees-srch.search.windows.net https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://dc.services.visualstudio.com/v2/track https://dev.explore-education-statistics.service.gov.uk/api/;frame-src 'self' https://department-for-education.shinyapps.io/ https://dfe-analytical-services.github.io/;frame-ancestors 'self';child-src 'self' X-DNS-Prefetch-Control: off Expect-CT: max-age=0 X-Frame-Options: SAMEORIGIN X-Download-Options: noopen X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer-when-downgrade X-XSS-Protection: 0
Open service 20.105.232.44:80 · dev.explore-education-statistics.service.gov.uk
2026-01-05 11:05
HTTP/1.1 301 Moved Permanently Content-Length: 0 Connection: close Date: Mon, 05 Jan 2026 11:05:46 GMT Location: https://dev.explore-education-statistics.service.gov.uk/