x-42c extensions

The x-42c vendor extensions by to the OpenAPI Specification (OAS) enable you to enrich your OpenAPI definitions with security information for API Firewall and provide additional instructions to other features in 42Crunch API Security Platform.

Extension scope

Extensions can have different scope depending on which level in your OpenAPI definition you add them:

  • Global level: The extension applies to the whole API: all paths, operations, and responses.
  • Path level: The extension applies to a specific path, including all operations and responses defined in it.
  • Operation level: The extension is applied to a specific operation and its responses.
  • Response level: The extension is applied to all responses defined for an operation.
  • Status level: The extension is applied to a specific HTTP status code or the default response.
# ...
paths:
    /apis:
        x-42c-local-strategy:
            x-42c-strategy:
                protections:
                    - x-42c-request-limiter_0.1:                # path level
                        # ...
        get:
            x-42c-local-strategy:
                x-42c-strategy:
                    protections:
                        - x-42c-request-limiter_0.1:            # operation level
                            # ...
            parameters:
                # ...
            responses: 
                x-42c-local-strategy:
                    x-42c-strategy:
                        protections:
                            - x-42c-security-headers_0.1:       # response level
                                # ...
                200: 
                    x-42c-local-strategy:
                        x-42c-strategy:
                            protections:
                                - x-42c-security-headers_0.1:   # status level
                                    # ...

Security extensions

The security extensions control what security measures API Firewall applies to API traffic. For the most part, they define what protections are applied and where. They are used by API Protection when it builds the sequences of actions for incoming requests and outgoing responses in the protection configurations.

For more details on security extensions, see Protections and security extensions. For instructions on how to use these extensions in your OpenAPI definitions, see Apply additional protections. For the descriptions of available protections and their x-42c extensions, see Protections.

Other extensions

You can use the following vendor extensions in your API definitions to provide additional instructions to API Security Audit or API Conformance Scan. These extensions are not used by API Protection when it builds the protection sequences for protection configurations.

Extensions for Security Audit

Extensions for Conformance Scan