Array header has no type of items defined
Issue ID: response-header-array-items-notype
Average severity: High
Description
An array header does not specify the type of items it can contain.
Open API Specification (OAS) v2 requires the type
property for items
objects. However, most OAS v2 validators do not raise an error on items
that do not have type
set.
Example
The following is an example of how this type of risk could look in your API definition. The response header contains an array but the type of its elements is not defined:
{
"responses": {
"200": {
"description": "OK",
"headers": {
"x-ids": {
"type": "array",
"items": {
"description": "Record Ids"
}
}
}
}
}
}
Possible exploit scenario
Your API has been designed to return specific data. Attackers typically want to make the API to change its behavior and return different or more data than it is supposed to. A particular API failure might leak some other data, such as records or stack trace.
Locking down your response headers to specific types reduces this risk.
Remediation
Make sure your array header includes the type
property for the items the array accepts:
{
"responses": {
"200": {
"description": "OK",
"headers": {
"x-ids": {
"type": "array",
"items": {
"description": "Record Ids",
"type": "integer"
}
}
}
}
}
}