Ensure API Keys are not sent as clear-text over an unencrypted channel
Ensure that the API Keys used for authentication are not sent as clear-text over an unencrypted channel such as HTTP. Otherwise, the API Keys may be intercepted and compromised by attackers.
Risk Level: medium
Platform: OpenAPI
Spectral Rule ID: OPENAPI004
REMEDIATION
Use HTTPS instead of HTTP for the API endpoints and specify the schemes keyword accordingly. Alternatively, use other secure methods of authentication such as OAuth2 or JWT.
swagger: '2.0'
# OR
openapi: '3.0.0'
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 200 response
.
.
.
securityDefinitions: # 2.0
- apiKey1:
- type: apiKey
- name: X-API-Key
- in: header
- apiKey2:
- type: apiKey
- name: X-API-Key
- in: cookie
+ OAuth2:
+ type: oauth2
+ flow: accessCode
+ authorizationUrl: https://example.com/oauth/authorize
+ tokenUrl: https://example.com/oauth/token
+ scopes:
+ read: Grants read access
+ write: Grants write access
# OR
components: # 3.0
securitySchemes:
- apiKey1:
- type: apiKey
- name: X-API-Key
- in: header
- apiKey2:
- type: apiKey
- name: X-API-Key
- in: cookie
+ OAuth2:
+ type: oauth2
+ flows:
+ authorizationCode:
+ scopes:
+ write: modify objects in your account
+ read: read objects in your account
+ authorizationUrl: https://example.com/oauth/authorize
+ tokenUrl: https://example.com/oauth/token
# BOTH 3.0 and 2.0
- security:
- - apiKey1: []
- apiKey2: []
- apiKey3: []
+ security:
+ - OAuth2:
+ - write
+ - read
Read more:
Updated over 1 year ago