404 response should be defined for all GET, PUT, HEAD, and DELETE operations
Issue ID: response-404
Average severity: Medium
Description
One or more GET
, PUT
, HEAD
, or DELETE
operations are missing the 404
response. All GET
, PUT
, HEAD
, and DELETE
operations should have the 404
response defined.
For more details, see RFC 7231.
Example
The following is an example of how this type of risk could look in your API definition:
{
"/pets": {
"get": {
"description": "Returns all pets from the system that the user has access to",
"produces": [
"application/json"
],
"responses": {
"200": {
"description": "A list of pets.",
"schema": {
"type": "array",
"items": {
"$ref": "#/definitions/Pet"
}
}
}
}
}
}
}
Possible exploit scenario
Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.
Remediation
Define 404
responses for all GET
, PUT
, HEAD
, and DELETE
operations.
{
"/pets": {
"get": {
"description": "Returns all pets from the system that the user has access to",
"produces": [
"application/json"
],
"responses": {
"200": {
"description": "A list of pets",
"schema": {
"type": "array",
"items": {
"$ref": "#/definitions/Pet"
}
}
},
"404": {
"description": "Not found",
"schema": {
"$ref": "#/definitions/404"
}
}
}
}
}
}