Ensure All Paths Have Security Scheme
Ensure that all paths have a security scheme defined in OpenAPI. The security scheme specifies the security requirements that apply to a specific operation in the API. If the security scheme is omitted for a path, the global security field should be defined to apply to all operations in the API.
Risk Level: high
Platform: OpenAPI
Spectral Rule ID: OPENAPI009
REMEDIATION
If a path does not have a security scheme defined, it means that the operation does not have any security requirements and is open to anyone. This poses a serious security risk for the API and its users, as the operation data may be accessed or modified without authorization. Define the security scheme for each path and specify the security schemes that apply to the operation. The security schemes must be previously defined in the components/securitySchemes section (for OpenAPI 3.0) or in the securityDefinitions section (for OpenAPI 2.0). The security scheme is an array of security requirement objects, where each object contains one or more name-value pairs. The name corresponds to a security scheme and the value is an array of scope names required for the execution. For example, if you want to use an API key and OAuth2 for authentication, you can add:
openapi: 3.0.0
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
+ security: # add security scheme for this path
+ - apiKey: []
+ - OAuth2:
+ - read
+ - write
"/users":
get:
+ security: # add security scheme for this path
+ - apiKey: []
+ - OAuth2:
+ - read
post:
+ security: # add security scheme for this path
+ - OAuth2:
+ - write
.
.
.
components: # 3.0
securitySchemes:
apiKey:
type: apiKey
name: X-API-Key
in: header
OAuth2:
type: oauth2
flows:
authorizationCode:
authorizationUrl: https://example.com/oauth/authorize
tokenUrl: https://example.com/oauth/token
scopes:
read: Grants read access
write: Grants write access
# OR
swagger: '2.0'
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
+ security: # add security scheme for this path
+ - apiKey1: []
+ - OAuth2:
+ - read
+ - write
"/users":
get:
+ security: # add security scheme for this path
+ - apiKey1: []
+ - OAuth2:
+ - read
post:
+ security: # add security scheme for this path
+ - OAuth2:
+ - write
.
.
.
securityDefinitions: # 2.0
apiKey1:
type: apiKey
name: X-API-Key
in: header
apiKey2:
type: apiKey
name: X-API-Key
in: cookie
OAuth2:
type: oauth2
flow: accessCode
authorizationUrl: https://example.com/oauth/authorize
tokenUrl: https://example.com/oauth/token
scopes:
read: Grants read access
write: Grants write access
Read more:
Updated over 1 year ago