Ensure Global Security Field Is defined
Ensure that the global security field is defined in OpenAPI. The global security field specifies the security requirements that apply to all operations in the API, unless overridden on the operation level.
Risk Level: high
Platform: OpenAPI
Spectral Rule ID: OPENAPI005
REMEDIATION
If the global security field is missing, it means that the API does not have any security requirements and is open to anyone. This poses a serious security risk for the API and its users, as the API data may be accessed or modified without authorization. Define the global security field and specify the security schemes that apply to the whole API. The security schemes must be previously defined in the components/securitySchemes section. The global security field is an array of security requirement objects, where each object contains one or more name-value pairs. The name corresponds to a security scheme and the value is an array of scope names required for the execution. For example, if you want to use an API key and OAuth2 for authentication, you can add:
openapi: 3.0.0
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
.
.
.
# Add the global security field here
# 3.0
+ components:
+ securitySchemes:
+ apiKey:
+ type: apiKey
+ name: X-API-Key
+ in: header
+ OAuth2:
+ type: oauth2
+ flows:
+ authorizationCode:
+ authorizationUrl: https://example.com/oauth/authorize
+ tokenUrl: https://example.com/oauth/token
+ scopes:
+ read: Grants read access
+ write: Grants write access
# 2.0
+ securityDefinitions:
+ apiKey1:
+ type: apiKey
+ name: X-API-Key
+ in: header
+ apiKey2:
+ type: apiKey
+ name: X-API-Key
+ in: cookie
+ OAuth2:
+ type: oauth2
+ flow: accessCode
+ authorizationUrl: https://example.com/oauth/authorize
+ tokenUrl: https://example.com/oauth/token
+ scopes:
+ read: Grants read access
+ write: Grants write access
# BOTH 3.0 and 2.0
+ security:
+ - apiKey: []
+ - OAuth2:
+ - read
+ - write
Read more:
Updated about 1 year ago