Array header has no type of items defined

Issue ID: response-header-array-items-notype

Average severity: High

Description

An array header does not specify the type of items it can contain.

Open API Specification (OAS) v2 requires the type property for items objects. However, most OAS v2 validators do not raise an error on items that do not have type set.

Example

The following is an example of how this type of risk could look in your API definition. The response header contains an array but the type of its elements is not defined:

{
    "responses": {
        "200": {
            "description": "OK",
            "headers": {
                "x-ids": { 
                    "type": "array",
                    "items": {
                        "description": "Record Ids"
                    }
                }
            }
        }
    }
}

Possible exploit scenario

Your API has been designed to return specific data. Attackers typically want to make the API to change its behavior and return different or more data than it is supposed to. A particular API failure might leak some other data, such as records or stack trace.

Locking down your response headers to specific types reduces this risk.

Remediation

Make sure your array header includes the type property for the items the array accepts:

{
    "responses": {
        "200": {
            "description": "OK",
            "headers": {
                "x-ids": {
                    "type": "array",
                    "items": {
                        "description": "Record Ids",
                        "type": "integer"
                    }
                }
            }
        }
    }
}