Guides

Ensure security object for operations is not empty object or has any empty object definition

Ensure that the security object for operations in the OpenAPI document is not an empty object or has any empty object definition. An empty object or an empty object definition implies that there are no security requirements for the operation, which may not be true or intended. It may also cause errors or inconsistencies when validating or processing the OpenAPI document. The security object for operations specifies the security or authorization protocol used when submitting requests to a specific operation. The security object for operations is an array of one or more security requirement objects. Each security requirement object contains one or more key-value pairs, where the key is the name of a security scheme defined in the components/securitySchemes section, and the value is an array of scope names required for the execution (for OAuth 2 and OpenID Connect only).

Suggest Edits

Risk Level: high
Platform: OpenAPI
Spectral Rule ID: OPENAPI018

REMEDIATION

Remove any empty objects or empty object definitions from the security object for operations. Add at least one security requirement object in the security object for operations, and make sure that each security requirement object has a valid key-value pair that references a defined security scheme. For example:

# This is a sample OpenAPI document with an invalid security object for operations

openapi: 3.0.0
info:
  title: Sample API
  version: 1.0.0
servers:
  - url: https://api.example.com/v1
  # Remove any empty objects or empty object definitions from the security object for operations
paths:
  /pets:
    get:
      summary: List all pets

-     security: {} # This is an empty object definition

# OR

      security:
-     - {} # This is an empty object
      - app_id: [] # This is a valid security requirement object
.
.
. 
      responses:
        '200':
          description: A list of pets
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Pet'
components:
  schemas:
    Pet:
      type: object
      required:
        - id
        - name
      properties:
        id:
          type: integer
          format: int64
        name:
          type: string
        tag:
          type: string

Read more:

Updated about 1 year ago