Ensure All Paths Have Security Scheme

Ensure that all paths have a security scheme defined in OpenAPI. The security scheme specifies the security requirements that apply to a specific operation in the API. If the security scheme is omitted for a path, the global security field should be defined to apply to all operations in the API.

Suggest Edits

Risk Level: high
Platform: OpenAPI
Spectral Rule ID: OPENAPI009

REMEDIATION

If a path does not have a security scheme defined, it means that the operation does not have any security requirements and is open to anyone. This poses a serious security risk for the API and its users, as the operation data may be accessed or modified without authorization. Define the security scheme for each path and specify the security schemes that apply to the operation. The security schemes must be previously defined in the components/securitySchemes section (for OpenAPI 3.0) or in the securityDefinitions section (for OpenAPI 2.0). The security scheme is an array of security requirement objects, where each object contains one or more name-value pairs. The name corresponds to a security scheme and the value is an array of scope names required for the execution. For example, if you want to use an API key and OAuth2 for authentication, you can add:

openapi: 3.0.0
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
+       security:           # add security scheme for this path
+         - apiKey: []
+         - OAuth2:
+           - read
+           - write
  "/users":
    get:
+     security:           # add security scheme for this path
+       - apiKey: []
+       - OAuth2:
+         - read
    post:
+    security:           # add security scheme for this path
+      - OAuth2:
+        - write
.
.
.

components:           # 3.0
  securitySchemes:
    apiKey:
      type: apiKey
      name: X-API-Key
      in: header
    OAuth2:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://example.com/oauth/authorize
          tokenUrl: https://example.com/oauth/token
          scopes:
            read: Grants read access
            write: Grants write access

# OR

swagger: '2.0'
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
+    security:           # add security scheme for this path
+      - apiKey1: []
+      - OAuth2:
+        - read
+        - write
  "/users":
    get:
+    security:           # add security scheme for this path
+      - apiKey1: []
+      - OAuth2:
+        - read
    post:
+    security:           # add security scheme for this path
+      - OAuth2:
+        - write

.
.
.

securityDefinitions:  # 2.0
  apiKey1:
    type: apiKey
    name: X-API-Key
    in: header
  apiKey2:
    type: apiKey
    name: X-API-Key
    in: cookie
  OAuth2:
    type: oauth2
    flow: accessCode
    authorizationUrl: https://example.com/oauth/authorize
    tokenUrl: https://example.com/oauth/token
    scopes:
      read: Grants read access
      write: Grants write access

Updated about 1 year ago

REMEDIATION

Read more: