Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
Severity: info
Fingerprint: 5733ddf49ff49cd1926e27d0926e27d0926e27d0926e27d0926e27d0926e27d0
Public Swagger UI/API detected at path: /webjars/swagger-ui/index.html
Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
Severity: info
Fingerprint: 5733ddf49ff49cd1926e27d0926e27d0926e27d0926e27d0926e27d0926e27d0
Public Swagger UI/API detected at path: /webjars/swagger-ui/index.html
Open service 106.55.156.179:443 · www.moweichen.cn
2026-01-23 05:27
HTTP/1.1 200 OK Alt-Svc: h3=":443"; ma=2592000 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Language: zh-CN Content-Type: text/html Expires: 0 Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: XSRF-TOKEN=deac79c8-16b0-4209-aab7-71ef3d4c6eec; Path=/; HTTPOnly Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 Caddy X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Date: Fri, 23 Jan 2026 05:27:44 GMT Connection: close Transfer-Encoding: chunked
Open service 106.55.156.179:443 · moweichen.cn
2026-01-22 20:07
HTTP/1.1 200 OK Alt-Svc: h3=":443"; ma=2592000 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Language: zh-CN Content-Type: text/html Expires: 0 Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: XSRF-TOKEN=201e279d-9dd9-4530-ab83-c0d229a2e3bf; Path=/; HTTPOnly Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 Caddy X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Date: Thu, 22 Jan 2026 20:07:44 GMT Connection: close Transfer-Encoding: chunked