保護DataHogo
Security Encyclopedia/APIs (Advanced)
lowCWE-200A05:2021

API Documentation Exposed in Production

Swagger UI, ReDoc, or other API documentation interfaces publicly accessible in production, giving attackers a free interactive map of every endpoint, parameter, and authentication method.

How It Works

API docs like Swagger expose every endpoint, expected input format, authentication requirements, and example responses. This eliminates reconnaissance time for attackers — they can browse your API interactively and test for vulnerabilities directly from the docs page. The docs also reveal internal structure and field names.

Vulnerable Code
// BAD: Swagger UI available in production
app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));
// Accessible at: https://yourapi.com/api-docs
Secure Code
// GOOD: disable docs in production
if (process.env.NODE_ENV !== 'production') {
  app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));
}
// Or: protect with auth middleware

Real-World Example

Penetration testers routinely check /swagger, /api-docs, /swagger-ui.html, /openapi.json as first steps. Finding exposed Swagger in production immediately reduces the time to find exploitable endpoints from hours to minutes.

How to Prevent It

  • Disable or remove API documentation routes in production builds
  • If docs must be accessible, protect them with authentication (internal team only)
  • Alternatively, host docs on a separate internal-only URL
  • Check for common doc paths: /swagger, /api-docs, /redoc, /openapi.json, /swagger.json

Affected Technologies

nodejsNext.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

GraphQL Introspection Enabled in Production

medium

GraphQL introspection is left enabled in production, allowing anyone to query the complete schema and discover all types, fields, mutations, and their argument structures.

CWE-200A05:2021

GraphQL Without Query Depth Limit

medium

GraphQL API with no depth limit on nested queries, allowing attackers to craft deeply nested queries that exhaust server resources and cause denial of service.

CWE-770A04:2021

GraphQL Batching Attack

medium

GraphQL endpoints accepting arrays of operations without size limits, enabling attackers to bypass rate limiting by bundling thousands of requests into a single HTTP call.

CWE-770A04:2021

Excessive Data Exposure

medium

API endpoints returning full database objects with sensitive fields instead of only the fields the client actually needs, exposing password hashes, internal IDs, admin flags, and other sensitive data.

CWE-213A03:2021