Response that should contain a body has no schema defined

Description

You have not defined any schemas for responses that should contain a body.

Empty or no schemas for responses are acceptable for responses that do not have any content:

  • The operation in question is HEAD (no content allowed for HEAD responses), see RFC 7231.
  • The returned HTTP status code is 204 or 304 (no content allowed for these codes), see RFC 7231 and RFC 7232.

Otherwise, all responses should contain a body that has a defined schema.

Example

The following is an example of how this issue could look like in your API definition:

"get": {
  "description": "Returns all pets from the system that the user has access to",
  ...
  "responses": {
    "200": {
      "description": "OK"
    }
  }
}

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.

Remediation

Define schemas for all responses that should have a body.

"get": {
  "description": "Returns all pets from the system that the user has access to",
  ...
  "responses": {
    "200": {
      "description": "pet response",
      "schema": {
        "type": "array",
        "items": {
          "$ref": "Pet.json"
        }
      }
    }
  }
}

Alternatively, if you do not want to include a body, you can change the HTTP status code in the response to one that should not have a body.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy