Comment by brunoarueira

It's a common problem. On a previous job, I'd found one unauthenticated endpoint just because I want to add some integration tests on it and my tests failed! After that, I'd created a script which lists all endpoints and curl each one with invalid credentials and expecting them to return 401.