Array header has no maximum number of items defined

Issue ID: response-header-array-maxitems

Average severity: High

Description

An array header does not specify the maximum number of items it can contain.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "name": "someArray",
    "in": "header",
    "type": "array",
    "items": {
        "type": "string",
        "pattern": "^((4\\d{3})|(5[1-5]\\d{2})|(6011))-?\\d{4}-?\\d{4}-?\\d{4}|3[4,7]\\d{13}$"
    }
}

Possible exploit scenario

APIs are typically designed to return a limited amount of data. For example, you may have an API that returns a particular user profile information, a specific record, or a page of items to display in a web or mobile application.

Attackers may try to exploit your backend implementation to instead force it to return a larger set of data, like records of all users.

If you have not enforced limits on the amount of data your API can return, this exploit can succeed and lead to a massive data breach.

Remediation

Set the maxItems property for returned arrays as a safety check against data breaches:

{
    "name": "someArray",
    "in": "header",
    "type": "array",
    "maxItems": 3,
    "items": {
        "type": "string",
        "pattern": "^((4\\d{3})|(5[1-5]\\d{2})|(6011))-?\\d{4}-?\\d{4}-?\\d{4}|3[4,7]\\d{13}$"
    }
}