Fix guide · medium · openapi_spec_exposed

OpenAPI / Swagger spec publicly exposed

Why it matters

Reveals every API endpoint, every parameter, every schema — including admin endpoints not linked from the UI.

How to fix it

1. Decide whether the spec should be public. For a developer-tool API, yes. For a SaaS internal API, no.
2. For internal APIs, gate the spec endpoint behind auth or remove it from production.
3. Ensure every endpoint enforces its own auth — don't rely on schema hiding.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.