String header has no maximum length defined

Average severity: Medium

Description

A string header does not specify the maximum length for the accepted strings.

Example

The following is an example of how this type of risk could look in your API definition:

"responses": {
  "200": {
    "description": "OK",
    "headers": {
      "x-ids": {
        "schema": {
          "type": "string"
          }
        }
      }
    }
  }
}

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API produces in each method.

Remediation

Set the maxLength property for string headers. This provides an extra layer of safety ensuring that your API only returns data that you expect it to return.

"responses": {
  "200": {
    "description": "OK",
    "headers": {
      "x-ids": {
        "schema": {
          "type": "string",
          "maxLength": "8"
          }
        }
      }
    }
  }
}

We also recommend that you specify a regular expression to further lock down the expected string format.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy