Audit issues for the OpenAPI Specification v3

This API security information collection is your encyclopedia on security risks as well as deviation from standards and best practices that OpenAPI (formerly known as Swagger) definitions can have. The collection contains three sections:

  • OpenAPI format requirements: issues in the OpenAPI definition that may render your API malformed so that its security cannot be audited, or that may prevent the API from working properly
  • Data validation: issues in the data definition quality of your API, such as inadequate input validation or output definition
  • Security: issues in the security definitions in your API, like lack of or lax authentication procedures

Each article on an issue contains the following:

  • A definition of the issue
  • An example of how the issue could look like in the definition of your API
  • Possible exploit scenarios (security risks only)
  • Recommended remediation of the issue

This section details the issues API Contract Security Audit may find when auditing API definitions that follow the OpenAPI Specification (OAS) v3.

If your API definition follows the OAS v2, see here.