Numeric header has no maximum defined

Issue ID: response-header-numerical-max

Average severity: Medium

Description

One or more numeric headers in your API has no maximum value specified.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The header type is set to integer but the maximum value is not specified:

{
    "responses": {
        "200": {
            "description": "OK",
            "headers": {
                "x-ids": {
                    "type": "integer",
                    "format": "int32"
                }
            }
        }
    }
}

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API produces in each method.

Remediation

Set both the minimum and maximum values for numeric headers. This provides an extra layer of safety ensuring that your API only returns data formats that you expect it to return.

{
    "responses": {
        "200": {
            "description": "OK",
            "headers": {
                "x-ids": {
                    "type": "integer",
                    "format": "int32",
                    "minimum":0,
                    "maximum":100
                }
            }
        }
    }
}