If operation has security defined, the 401 response should be defined

Description

If the security section defines security requirements for an API operation, you should define 401 and 403 responses for the operation. The 401 response is missing.

Example

The following is an example how this issue could look in your API definition. The global security section defines authentication for all API operations, but the 401 response is missing from the operation:

...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
  }
}
...
{
  "security": [
   {
     "regularSecurity": []
    }
  ]
}
...
  "post": {
     "description": "Add a new lock combination",
     ...
     "responses": {
       "200": {
         "description": "OK"
       }
       "403": {
         "description": "Forbidden"
        }
      }
    }
  }
}

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.

Remediation

Define 401 responses for all operations that have security defined for them.

...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
  }
}
...
{
  "security": [
   {
     "regularSecurity": []
    }
  ]
}
...
  "post": {
     "description": "Add a new lock combination",
     ...
     "responses": {
       "200": {
         "description": "OK"
       }
       "401": {
         "description": "Unauthorized",
         "schema": {
           "$ref": "#/definitions/Error401"
         }
       }
       "403": {
         "description": "Forbidden"
        }
      }
    }
  }
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy