Publicly accessible API documentation (a Swagger/OpenAPI UI, a GraphQL introspection endpoint) can reveal your entire internal API surface — every endpoint, every parameter, every data model — to anyone who finds it, even if the docs were only meant for your own development team.
Public Swagger/OpenAPI documentation maps out your entire API surface — every endpoint, every parameter. Fine if it's a public API you intend to document; a real problem if it exposes internal or admin-only routes you never meant to advertise.
API documentation is either intentionally public, or properly restricted behind authentication.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →