OpenAPI 2.0 warnings

You can use Postman to identify any potential security misses when your API is defined.

Security warnings for OpenAPI 2.0

Security warnings for OpenAPI 2.0

For all APIs defined in OpenAPI 2.0, the following list describes possible warning messages and potential ways to resolve them.

Global security field should properly enforce security

Security field is not defined

Severity Issue description Possible fix
High If the global security field is not defined, the API does not require any authentication by default. Anyone can access the API operations that do not have a security field defined. The security field should be defined in the schema.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  basicAuth:
    type: basic
security:
    - basicAuth: []

 

Security field does not contain any item

Severity Issue description Possible fix
High If the security field contains an empty array, no security scheme is applied to the operations by default. The security field should contain at least one item in the array.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  basicAuth:
    type: basic
security:
    - basicAuth: []

 

Security field does not contain any scheme

Severity Issue description Possible fix
High An empty object in the security field disables the authentication completely. Without security fields defined for each operation, anyone can access the API operations without any authentication. Security field array items should not contain an empty object.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  basicAuth:
    type: basic
security:
    - basicAuth: []

 

Scope for OAuth scheme used in security field is not defined in the securityDefinition declaration

Severity Issue description Possible fix
Low The OAuth2 scopes used in the global security field should be defined in the security schemes field. Otherwise, an attacker can introduce their scopes to fill the gap and exploit the system. Make sure that all the OAuth2 scopes used are defined in the OAuth2 security scheme.

Resolution:

swagger: '2.0'
#...
security:
  - OAuth2:
    - read
    - write
securityDefinitions:
  OAuth2:
    type: oauth2
    flow: accessCode
    scopes:
      read: read object
      write: writes object
    authorizationUrl: https://example.com/authorize
    tokenUrl: https://example.com/token

 

Reusable security definitions are not defined properly within components

Security definition object not defined

Severity Issue description Possible fix
High The components object of the API does not declare any security definitions which can be used in the security field of the API or individual operations. Security definitions should be defined in the schema of the component.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  basicAuth:
    type: basic

 

Security definition object does not contain any scheme

Severity Issue description Possible fix
High An empty object in the reusable security definition means that no authentication scheme is defined for each operation, anyone can access the API operations without any authentication. Security definitions should contain at least one item in the object.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  basicAuth:
    type: basic

 

Scheme used in security field is not defined in the security definition object

Severity Issue description Possible fix
Medium The authentication scheme used in global or operation security field is not defined in the security definition object. Scheme used in the security field should be defined in the security definition object.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  basicAuth:
    type: basic
security:
    - basicAuth: []

 

Security field for an individual operation should properly enforce security

Security field for the operation does not contain any item

Severity Issue description Possible fix
Medium No security scheme is applied to the API operation by default. The security field in any operation should contain at least one item in the array.

Resolution:

swagger: '2.0'
#...
paths:
  /user:
    get:
      description: 'Returns details about a particular user'
      security:
          - basicAuth: []
      #...
securityDefinitions:
  basicAuth:
    type: basic

 

Security field for the operation does not contain any scheme

Severity Issue description Possible fix
Medium An empty object in the security field disables the authentication completely for the operation. Anyone can access the API operation without any authentication. Specify at least one security requirement in the operation.

Resolution:

swagger: '2.0'
#...
paths:
  /user:
    get:
      description: 'Returns details about a particular user'
      security:
          - basicAuth: []
      #...
securityDefinitions:
  basicAuth:
    type: basic

 

Operation does not enforce any security scheme

Severity Issue description Possible fix
Medium If both the global security field and operation’s security field are not defined, anyone can access the API without any authentication. Define a security field in the operation.

Resolution:

swagger: '2.0'
#...
paths:
  /user:
    get:
      description: 'Sample endpoint: Returns details about a particular user'
      security:
          - basicAuth: []
      #...
securityDefinitions:
  basicAuth:
    type: basic

 

Scope for OAuth scheme used is not defined in the securityDefinition declaration

Severity Issue description Possible fix
Low The OAuth2 scopes used in the security field of the operation should be defined in the security schemes field. Otherwise, an attacker can introduce their scopes to fill the gap and exploit the system. Make sure that all the OAuth2 scopes used are defined in the OAuth2 security scheme.

Resolution:

swagger: '2.0'
#...
paths:
  "/user":
    get:
      summary: 'Sample endpoint: Returns details about a particular user'
      operationId: listUser
      security:
        - OAuth2:
          - read
          - write
securityDefinitions:
  OAuth2:
    type: oauth2
    flow: accessCode
    scopes:
      read: read object
      write: writes object
    authorizationUrl: https://example.com/authorize
    tokenUrl: https://example.com/token

 

Global schemes configuration allows insecure enforcement of security schemes

API accepts credentials from OAuth authentication in plain text

Severity Issue description Possible fix
High The access tokens are sent as plain text over an unencrypted network. Attackers can intercept the access tokens simply by listening to the network traffic in a public Wi-Fi network. Make sure that the scheme used in the schemes array is HTTPS.

Resolution:

swagger: '2.0'
#...
host: 'example.com'
schemes:
  - https
securityDefinitions:
  OAuth2:
    type: oauth2
    flow: accessCode
    authorizationUrl: https://my.auth.example.com/
    tokenUrl: https://my.token.example.com/
security:
 - OAuth2: []

 

API accepts API key in plain text

Severity Issue description Possible fix
High API keys are sent as plain text over an unencrypted channel. Attackers can easily intercept API key by listening to the network traffic in a public Wi-Fi network. Make sure that the scheme used in the scheme array is HTTPS.

Resolution:

swagger: '2.0'
#...
host: 'example.com'
schemes:
  - https
securityDefinitions:
  apiKeyAuth:
    type: apiKey
    name: api_key
    in: header
security:
  - apiKeyAuth: []

 

API accepts basic authentication credentials in plain text

Severity Issue description Possible fix
High The credentials are sent as plain text over an unencrypted network. Attackers can intercept the credentials simply by listening to the network traffic in a public Wi-Fi network. Make sure that the scheme used in the scheme array is HTTPS.

Resolution:

swagger: '2.0'
#...
host: 'example.com'
schemes:
  - https
securityDefinitions:
  basicAuth:
    type: basic
security:
 - basicAuth: []

 

Global schemes have HTTP scheme defined

Severity Issue description Possible fix
Medium The server supports unencrypted HTTP connections, all requests and responses will be transmitted in the open. Anyone listening to the network traffic while the calls are being made can intercept them. Make sure that the scheme used in the scheme array is HTTPS.

Resolution:

swagger: '2.0'
#...
host: 'example.com'
schemes:
  - https
#...

 

Operation server configuration allows insecure enforcement of security schemes

Operation accepts credentials from OAuth authentication in plain text

Severity Issue description Possible fix
Medium The API operation accepts the access tokens from a flow that are transported in plain text over an unencrypted channel. Attackers can easily intercept API calls and retrieve the unencrypted tokens. They can then use the tokens to make other API calls. Make sure that the scheme used in the scheme array of the operation is HTTPS.

Resolution:

swagger: '2.0'
#...
host: 'example.com'
paths:
  "/user":
    get:
      summary: 'Sample endpoint: Returns details about a particular user'
      schemes:
          - https
      security:
          - OAuth2: []
      #...
securityDefinitions:
  OAuth2:
    type: oauth2
    flow: accessCode
    authorizationUrl: https://my.auth.example.com/
    tokenUrl: https://my.token.example.com/

 

Operation accepts API key in plain text

Severity Issue description Possible fix
High The API operation accepts API keys that are transported in plain text over an unencrypted channel. Attackers can easily intercept API calls and retrieve the API key to make other API calls. Make sure that the scheme used in the scheme array of the operation is HTTPS.

Resolution:

swagger: '2.0'
#...
host: 'example.com'
paths:
  "/user":
    get:
      summary: 'Sample endpoint: Returns details about a particular user'
      schemes:
          - https
      security:
          - apiKeyAuth: []
      #...
securityDefinitions:
  apiKeyAuth:
    type: apiKey
    name: api_key
    in: header

 

Operation accepts basic authentication credentials in plain text

Severity Issue description Possible fix
Medium The API operation accepts the credentials that are transported in plain text over an unencrypted channel. Attackers can easily intercept API calls and retrieve the unencrypted tokens. They can then use the tokens to make other API calls. Make sure that the scheme used in the scheme array of the operation is HTTPS.

Resolution:

swagger: '2.0'
#...
host: 'example.com'
paths:
  "/user":
    get:
      summary: 'Sample endpoint: Returns details about a particular user'
      schemes:
          - https
      security:
          - BasicAuth: []
      #...
securityDefinitions:
  BasicAuth:
    type: basic

 

Schemes of the operation have HTTP scheme defined

Severity Issue description Possible fix
Medium The API operation supports unencrypted HTTP connections, all requests and responses will be transmitted in the open. Anyone listening to the network traffic while the calls are being made can intercept them. Make sure that the scheme used in the scheme array of the operation is HTTPS.

Resolution:

swagger: '2.0'
#...
host: 'example.com'
paths:
  "/user":
    get:
      summary: 'Sample endpoint: Returns details about a particular user'
      schemes:
          - https
      #...

 

Security scheme configuration allows loopholes for credential leaks

Authorization URL uses HTTP protocol. Credentials will be transferred as plain text

Severity Issue description Possible fix
Medium OAuth authorization credentials are transported over an unencrypted channel. Anyone listening to the network traffic while the calls are being made can intercept them. Make sure that the authorization URL is a valid URL and follows HTTPS protocol.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  OAuth2:
    type: oauth2
    flow: accessCode
    #...
    authorizationUrl: https://example.com/authorize

 

Token URL uses HTTP protocol

Severity Issue description Possible fix
Medium OAuth authentication tokens are transported over an unencrypted channel. Anyone listening to the network traffic while the token is being sent can intercept it. Make sure that the token URL is a valid URL and follows HTTPS protocol.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  OAuth2:
    type: oauth2
    flow: accessCode
    #...
    tokenUrl: https://example.com/token

 

OAuth authentication uses the deprecated implicit flow

Severity Issue description Possible fix
Medium In OAuth implicit flow, authorization server issues access tokens in the authorization request’s response. Attackers can easily intercept API calls and retrieve the access tokens to make other API calls. It is recommended to use accessCode flow. Make sure that the OAuth authentication scheme is not using the implicit flow.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  OAuth2:
    type: oauth2
    flow: accessCode
    authorizationUrl: https://my.auth.example.com/
    tokenUrl: https://my.token.example.com/
    scopes:
      write: modify data
      read: read data

 

OAuth authentication uses the deprecated password flow

Severity Issue description Possible fix
Medium Oauth password grant flow uses the user’s credentials to retrieve the access token. Attackers can easily intercept API calls and retrieve the access tokens to make other API calls. It is recommended to use accessCode flow. Make sure that the OAuth authentication scheme is not using the password flow.

Resolution:

swagger: '2.0'
#...
securityDefinitions:
  OAuth2:
    type: oauth2
    flow: accessCode
    authorizationUrl: https://my.auth.example.com/
    tokenUrl: https://my.token.example.com/
    scopes:
      write: modify data
      read: read data