The ‘securityDefinitions’ section is not defined

Average severity: High

Description

The top-level securityDefinitions section has not been defined.  This specifies how API clients must authenticate to use your API’s operations.

For more details, see the OpenAPI Specification.

Example

The securityDefinitions section could be missing altogether, or the section could be empty, with no security schemes specified:

{
  "swagger": "2.0"
  ...
  "securityDefinitions": {
   }
}

Possible exploit scenario

Without the securityDefinitions section, your API does not specify any authentication method for consuming the API operations. This means that anyone can use API operations as long as they know the URLs of the operations and how to invoke them.

This sometimes happens to internal APIs. These are often created only to be used inside the company web pages and mobile applications. No one expects any outsiders to know that the API exists, so developers do not spend time implementing security.

But attackers can look at the code of the mobile or web application, or listen to the API traffic, and reverse-engineer how the API works. Once the attackers have figured this out, they can start using the API because it does not require any authentication.

Remediation

  1. Define the security schemes in the securityDefinitions section:
    {
      "securityDefinitions": {
        "api_key1": {
          "type": "apiKey",
          "name": "X-Api_Key",
          "in": "header",
        }
      }
    }
  2. Use the global security section to set your API to require authentication:
    {
      "security": [
      { "api_key1": [] }
      ],
    }

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy