Home / Tools / Restrict access to exposed API documentation
Exposed Files · Scan Check Guide

Restrict access to exposed API documentation

20 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

Publicly accessible API documentation (a Swagger/OpenAPI UI, a GraphQL introspection endpoint) can reveal your entire internal API surface — every endpoint, every parameter, every data model — to anyone who finds it, even if the docs were only meant for your own development team.

Public Swagger/OpenAPI documentation maps out your entire API surface — every endpoint, every parameter. Fine if it's a public API you intend to document; a real problem if it exposes internal or admin-only routes you never meant to advertise.

How to fix it

  1. 1
    Check common documentation paths
    /swagger, /api-docs, /graphql (with introspection enabled), /docs — see what's live and publicly reachable.
  2. 2
    Restrict access if the API is internal-only
    Put documentation behind authentication, or restrict it to specific IPs, if the API itself isn't meant for public/partner use.
  3. 3
    Disable GraphQL introspection in production specifically
    Introspection is genuinely useful in development but should typically be off in your production environment.
  4. 4
    If the API is intentionally public, this is fine
    Public APIs with public docs (a documented partner API) don't need this fixed — the check exists to catch INTERNAL docs left open by accident.

Common mistakes

How you'll know it's done

API documentation is either intentionally public, or properly restricted behind authentication.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →