Our APIs are not public and require a client certificate in addition to authentication for access. We don't want to release any information at all about our APIs to the public at large.

Situation:
A security audit of our system found that an unauthorized user can leverage the developer portal to enumerate existing API URLs from the Internet. This is possible as it's leaking valid resources with verbose error messages: "Access denied" versus "Page not found".

Example:
"Access denied"
https://<host-alias>/xyz/apis/post/v1/partnerData
"Page not found"
https://<host-alias>/xyz/apis/post/v1/foobar

Suggested fix:
Have the developer portal use the same error message for valid and invalid resource requests.

The developer documentation on the developer portal is password-protected. The APIs are also protected in a variety of ways, including password-protection. That doesn't mean there is not a security issue here. The point is that anybody on the Internet can tell what our API endpoints are, even without authenticating. This is information that should not be leaked onto the Internet regardless of whether the endpoints are protected or not.