Array header has no maximum number of items defined


An array header does not specify the maximum number of items it can contain.

For more details, see the OpenAPI Specification.


The following is an example of how this type of risk could look in your API definition:

1name: someArray
2in: header
3type: array
5  type: string
6  pattern: ^((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$

Possible exploit scenario

APIs are typically designed to return a limited amount of data. For example, you may have an API that returns a particular user profile information, a specific record, or a page of items to display in a web or mobile application.

Attackers may try to exploit your backend implementation to instead force it to return a larger set of data, like records of all users.

If you have not enforced limits on the amount of data your API can return, this exploit can succeed and lead to a massive data breach.


Set the maxItems property for returned arrays as a safety check against data breaches:

1name: someArray
2in: header
3type: array
4maxItems: 3
6  type: string
7  pattern: ^((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$

Copyright 42Crunch 2021