'Security' field contains an empty array
Issue ID: global-securityrequirement-emptyarray
Average severity: High
Description
The security
field of your API contract does not list any security schemes to be applied. Instead, it just contains an empty array.
The top-level security
field of the OpenAPI contract contains an array of the security schemes applied to the whole API. The list of values describes alternative security schemes that can be used. There is a logical OR
between the security requirements. Individual operations can override the top-level security
in the operation-level security
fields if needed.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition. An empty array in the security
field does not apply any security scheme, and thus does not protect the API:
{
// ...
"info": {
"title": "Petstore API"
},
"paths": {
// ...
},
"security": [
]
}
Possible exploit scenario
Even though you can apply security schemes directly to individual operations, it is strongly recommended that you define your default security schemes on the API level. The operation-level security
is meant to be used as an exception-handling mechanism only, not as a best practice.
Relying on defining security
only on each operation individually is an error-prone approach. It is very easy to forget to set security
when you add a new method to the API. If there is no global default security
defined, the operation is left wide open for an attacker to invoke without any authentication required.
Remediation
Make sure you define default security
on the global level for the whole API, and only define exceptions to this on the operation level, if needed.
{
"schemes": [
"https"
],
// ...
"securityDefinitions": {
"OAuth2": {
"type": "oauth2",
"flow": "accessCode",
"scopes": {
"read": "read objects in your account",
"write": "modify objects in your account"
},
"authorizationUrl": "https://example.com/oauth/authorize",
"tokenUrl": "https://example.com/oauth/token"
}
},
// ...
"security" : {
"OAuth2": [
"write",
"read"
]
}
}