Web APIs have emerged as one of the leading vectors of security attacks. Now, the entry point to the network architecture is the plethora of APIs that call to the backend server to provide the functions of the application. This puts the quality and security of your APIs in the spotlight.
The starting point for the API security is the API definition itself. If the API definition has gaping security holes, applying security measures on top of that just creates a ticking time bomb. The first step is to make sure your API conforms to security best practices.
This API security information collection is your encyclopedia on security risks as well as deviation from standards and best practices that OpenAPI (formerly known as Swagger) definitions can have. The collection contains two sections:
- OpenAPI format requirements
OpenAPI format requirements are issues in the OpenAPI definition may render your API malformed so that its security cannot be audited, or that may prevent the API from working properly.
Security focuses on the actual security risks hiding in the OpenAPI definition of your API, such as inadequate input validation or lax authentication procedures.
Each article in the sections below contains the following:
- A definition of the issue
- An example of how the issue could look like in the definition of your API
- Possible exploit scenarios (security risks only)
- Recommended remediation of the issue
This is a living document, and we keep improving on it. If you have any feedback for us, do let us know.