Format of a string header is unknown
The format you have defined for a string header does not match formats defined in either the OpenAPI Specification (OAS) or JSON Schema Specification. Unknown formats cannot be enforced to protect your API, so it is like you had not defined a format at all.
The following is an example of how this type of risk could look in your API definition. The format
host is unknown:
1responses: 2 "200": 3 description: OK 4 headers: 5 x-host: 6 schema: 7 type: string 8 format: host 9
Possible exploit scenario
Your API has been designed to return specific data. If you define an unknown format for strings, you do not actually limit what can be included in response headers.
Attackers typically want to make the API to change its behavior and return different data than it is supposed to. A particular API failure might leak some other data, such as records or stack trace.
Using your internal, company-specific formats is not currently supported.
Define a known
format for string headers. This provides an extra layer of safety ensuring that your API only returns data formats that you expect it to return.
1responses: 2 "200": 3 description: OK 4 headers: 5 x-host: 6 schema: 7 type: string 8 format: hostname 9
If you want to use your internal, company-specific format, make sure to also use properties like
maxLenght to constrain the accepted values.
Copyright 42Crunch 2021