Operation accepts HTTP requests in the clear

Average severity: Medium

Description

The API operation accepts HTTP communications in the clear. HTTP traffic is not encrypted and can thus be easily intercepted.

For more details, see the OpenAPI Specification (OAS) v2 or v3.

Example

The following is an example of how this type of risk could look in your API definition:

OAS v2:

{
"schemes": [
    "http"
  ],

Having both HTTP and HTTPS enabled does not help, you are still accepting unencrypted connections:

{
"schemes": [
    "https",
    "http"
  ],

OAS v3:

The alternative server defined for the operation accepts unencrypted connections:

"get": {
	"description": "Returns pets based on ID",
	"summary": "Find pets by ID",
	"operationId": "getPetsById",
	"servers": [
		{
			"url": "http://my.api.com",
			"description": "Development server"
		}

	]
	"responses": {
	...

Possible exploit scenario

If the operation supports unencrypted HTTP connections, all requests and responses are transmitted in the open. Anyone listening to the network traffic while the calls are being made may intercept them.

Remediation

OAS v2:

Remove http from the schemes list, and only include https:

{
  "schemes": [
    "https"
  ],
}

OAS v3:

Use only secure connections for the servers:

"get": {
	"description": "Returns pets based on ID",
	"summary": "Find pets by ID",
	"operationId": "getPetsById",
	"servers": [
		{
			"url": "https://my.api.com",
			"description": "Development server"
		}

	]
	"responses": {
	...

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy