Numeric header has no maximum defined
One or more numeric headers in your API has no maximum value specified.
For more details, see the OpenAPI Specification.
The following is an example of how this type of risk could look in your API definition. The header
type is set to
integer but the maximum value is not specified:
1responses: 2 "200": 3 description: OK 4 headers: 5 x-ids: 6 schema: 7 type: integer 8 format: int32 9
Possible exploit scenario
Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API produces in each method.
Set both the
maximum values for numeric headers. This provides an extra layer of safety ensuring that your API only returns data formats that you expect it to return.
1responses: 2 "200": 3 description: OK 4 headers: 5 x-ids: 6 schema: 7 type: integer 8 format: int32 9 minimum: 0 10 maximum: 100 11
Copyright 42Crunch 2021