406 response not defined


The 406 response is missing on one or more operations in your API that should have it defined. All operations that do not have 204 response defined and that have the produces property constraining the response MIME type should have 406 response defined.

For more details, see RFC 7231.

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.


Define 406 responses for all operations that do not have 204 responses but that have the produced MIME type restricted.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy