API accepts HTTP requests in the clear
The API accepts HTTP communications in the clear. HTTP traffic is not encrypted and can thus be easily intercepted.
For more details, see the OpenAPI Specification.
The following is an example of how this type of risk could look in your API definition:
1schemes: 2 - http 3
Having both HTTP and HTTPS enabled does not help, you are still accepting unencrypted connections:
1schemes: 2 - http 3 - https 4
Possible exploit scenario
If your API supports unencrypted HTTP connections, all requests and responses are transmitted in the open. Anyone listening to the network traffic while the calls are being made may intercept them.
http from the
schemes list, and only include
1schemes: 2 - https 3
Copyright 42Crunch 2021