If operation has security defined, the 403 response should be defined
Issue ID: v3-response-403
Average severity: Medium
Description
If the security
field defines security requirements for an API operation, you should define 401
and 403
responses for the operation. The 403
response is missing.
For more details, see RFC 7231.
Example
The following is an example of how this type of risk could look in your API definition. The global security
field defines authentication for all API operations, but the 403
response is missing from the operation:
{
"security": [
{
"regularSecurity": []
}
],
// ...
"post": {
"description": "Add a new lock combination",
// ...
"responses": {
"200": {
"description": "OK"
},
"401": {
"description": "Unauthorized",
"schema": {
"$ref": "#/components/schemas/401"
}
}
}
}
}
Possible exploit scenario
Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.
Remediation
Define 403
responses for all operations that have security defined for them.
{
"security": [
{
"regularSecurity": []
}
],
// ...
"post": {
"description": "Add a new lock combination",
// ...
"responses": {
"200": {
"description": "OK"
},
"401": {
"description": "Unauthorized",
"schema": {
"$ref": "#/components/schemas/401"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/components/schemas/403"
}
}
}
}
}