200 response should be defined for OPTIONS operations

Issue ID: response-options-2xx

Average severity: Medium

Description

OPTIONS operations in your API must have the 200 response defined.

For more details, see RFC 7231.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "options": {
        "description": "Returns allowed methods",
        // ...
        "responses": {
            "429": {
                "description": "Too many requests",
                "schema": {
                    "$ref": "#/definitions/429"
                }              
            }
        }
    }
}

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.

Remediation

Define 200 responses for all OPTIONS operations.

{
    "options": {
        "description": "Returns allowed methods",
        // ...
        "responses": {
           "200": {
                "description": "OK",
                "headers": {
                    "Allow": "GET, HEAD, PUT"
                }
            },
            "429": {
                "description": "Too many requests",
                "schema": {
                    "$ref": "#/definitions/429"
                }       
            }
        }
    }
}