SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
medium Infrastructure

API Endpoint Discovery

API endpoint discovery probes your domain for API endpoints that may not be intentionally documented or public. Legacy API versions, internal endpoints, and endpoints exposed through JavaScript source maps are all common findings that attackers actively look for.

What SecurityStatus Checks

  • Common API base paths: /api, /api/v1, /api/v2, /rest, /graphql, /rpc
  • API documentation endpoints: /swagger.json, /openapi.yaml, /api-docs
  • Version-specific endpoints that may be deprecated but still accessible
  • JavaScript source maps that reveal internal API structure

Why This Matters

Old API versions are frequently maintained for backward compatibility without receiving the same security updates as current versions. An attacker who finds /api/v1/ when your app uses /api/v3/ may find authentication bypasses or unpatched vulnerabilities in the old version. Source maps can reveal your entire API structure.

How to Fix It

  1. 1

    Inventory all API versions in use

    List all API versions your application exposes. Identify which are actively used by clients and which are legacy. Legacy versions should be deprecated and removed on a defined timeline.

  2. 2

    Disable or remove unused API versions

    If /api/v1 and /api/v2 are no longer used by any clients, remove them. If clients still depend on them, return 410 Gone responses to encourage migration, then remove after a migration window.

  3. 3

    Disable source map serving in production

    JavaScript source maps (.map files) are useful for debugging but should not be served in production as they reveal your internal code structure. In your build tool, set source maps to be internal or excluded from deployment.

  4. 4

    Apply authentication consistently across all versions

    Ensure every API version has the same authentication and authorisation controls as the current version. Never have an old version with weaker auth as a 'legacy compatibility' measure.

Frequently Asked Questions

What are JavaScript source maps?
Source maps are files that map minified/compiled JavaScript back to the original source code. In production, they help attackers understand your application logic and discover API endpoints and data structures defined in your client code.
Should I block all API enumeration attempts?
Rate limit and log API discovery-style requests (sequential probing of versioned paths). However, focus energy on ensuring all API endpoints that do exist require proper authentication rather than trying to hide endpoints entirely.

Related Guides

high API Endpoint Exposure Read Guide critical CORS Configuration Read Guide high Technology Fingerprint Read Guide

Check Your Domain Now

Run all 38 security checks including API Endpoint Discovery and get your domain's security grade in under 2 minutes.

Scan Your Domain Free