'SecurityDefinitions' field is not defined

Description

The global securityDefinitions field has not been defined. This specifies how API clients must authenticate to use your API's operations.

For more details, see the OpenAPI Specification.

Example

The securityDefinitions field could be missing altogether, or the field could be empty, with no security schemes specified:

{
  "swagger": "2.0"
  ...
  "securityDefinitions": {
   }
}

Possible exploit scenario

Without the securityDefinitions field, your API does not specify any authentication method for consuming the API operations. This means that anyone can use API operations as long as they know the URLs of the operations and how to invoke them.

This sometimes happens to internal APIs. These are often created only to be used inside the company web pages and mobile applications. No one expects any outsiders to know that the API exists, so developers do not spend time implementing security.

But attackers can look at the code of the mobile or web application, or listen to the API traffic, and reverse engineer how the API works. Once the attackers have figured this out, they can start using the API because it does not require any authentication.

Remediation

First, define the security schemes in the securityDefinitions field:

{
  "securityDefinitions": {
    "api_key1": {
      "type": "apiKey",
      "name": "X-Api_Key",
      "in": "header",
    }
  }
}

Then, use the global security field to set your API to require authentication:

{
  "security": [
  { "api_key1": [] }
  ],
}