LeakIX - Host 35.161.173.72

Host 35.161.173.72

United States

AMAZON-02

Software information

nginx nginx 1.22.1

tcp/443

Swagger API description is publicly available

Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.

Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.

While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.

IP: 35.161.173.72
Domain: public-b2c-api-stg.tryoliver.com
Port: 443
URL: https://public-b2c-api-stg.tryoliver.com

First seen 2025-10-14 19:52
Last seen 2026-02-09 22:19
Open for 118 days
- Severity: info
  Fingerprint: 5733ddf49ff49cd1bf890109bf890109bf890109bf890109bf890109bf890109
```
Public Swagger UI/API detected at path: /api-docs/swagger.json
```
  Found on 2026-02-09 22:19
Create report

Open service 35.161.173.72:443 · public-b2c-api-stg.tryoliver.com

2026-01-23 12:32

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 23 Jan 2026 12:32:37 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: X-Requested-With, content-type, Content-Type, X-Api-Key
Access-Control-Allow-Credentials: true
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
ETag: W/"23-BFIgEsZLDotVU6WUKJne7V0Uajc"


{"message":"API IS UP AND RUNNING"}

Found 2026-01-23 by HttpPlugin

Create report

Open service 35.161.173.72:443 · public-b2c-api-stg.tryoliver.com

2026-01-23 08:27

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 23 Jan 2026 08:27:06 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: X-Requested-With, content-type, Content-Type, X-Api-Key
Access-Control-Allow-Credentials: true
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
ETag: W/"23-BFIgEsZLDotVU6WUKJne7V0Uajc"


{"message":"API IS UP AND RUNNING"}

Found 2026-01-23 by HttpPlugin

Create report

Open service 35.161.173.72:443 · public-b2c-api-stg.tryoliver.com

2026-01-09 21:06

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 09 Jan 2026 21:06:53 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: X-Requested-With, content-type, Content-Type, X-Api-Key
Access-Control-Allow-Credentials: true
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
ETag: W/"23-BFIgEsZLDotVU6WUKJne7V0Uajc"


{"message":"API IS UP AND RUNNING"}

Found 2026-01-09 by HttpPlugin

Create report

Open service 35.161.173.72:443 · public-b2c-api-stg.tryoliver.com

2026-01-09 10:24

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 09 Jan 2026 10:24:09 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: X-Requested-With, content-type, Content-Type, X-Api-Key
Access-Control-Allow-Credentials: true
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
ETag: W/"23-BFIgEsZLDotVU6WUKJne7V0Uajc"


{"message":"API IS UP AND RUNNING"}

Found 2026-01-09 by HttpPlugin

Create report

Open service 35.161.173.72:443 · public-b2c-api-stg.tryoliver.com

2025-12-23 07:58

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Tue, 23 Dec 2025 07:58:31 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: X-Requested-With, content-type, Content-Type, X-Api-Key
Access-Control-Allow-Credentials: true
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
ETag: W/"23-BFIgEsZLDotVU6WUKJne7V0Uajc"


{"message":"API IS UP AND RUNNING"}

Found 2025-12-23 by HttpPlugin

Create report

Open service 35.161.173.72:443 · public-b2c-api-stg.tryoliver.com

2025-12-22 19:57

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Mon, 22 Dec 2025 19:57:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: X-Requested-With, content-type, Content-Type, X-Api-Key
Access-Control-Allow-Credentials: true
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
ETag: W/"23-BFIgEsZLDotVU6WUKJne7V0Uajc"


{"message":"API IS UP AND RUNNING"}

Found 2025-12-22 by HttpPlugin

Create report

public-b2c-api-stg.tryoliver.com

Fingerprint:

eef60dfd754abd0adbc7d6a5278b5fb693f914fc0c777e5e8a329cfe88160863

CN:

public-b2c-api-stg.tryoliver.com

Key:

RSA-2048

Issuer:

R13

Not before:

2025-12-27 23:02

Not after:

2026-03-27 23:02

public-b2c-api-stg.tryoliver.com

Fingerprint:

dd022cdf43adea9e9d27a53f53180a44a8e5ba4f2980006193dbe6c6e8223afe

CN:

public-b2c-api-stg.tryoliver.com

Key:

RSA-2048

Issuer:

R13

Not before:

2025-10-25 23:03

Not after:

2026-01-23 23:03

Domain summary

public-b2c-api-stg.tryoliver.com 6

1 recorded

Host 35.161.173.72

United States

Software information

Swagger API description is publicly available

Create report

Create report

Create report

Create report

Create report

Create report

public-b2c-api-stg.tryoliver.com

public-b2c-api-stg.tryoliver.com

Domain summary