406 response should be defined for all GET, POST, PUT, PATCH, and DELETE operations

Issue ID: v3-response-406

Average severity: Medium

Description

One or more operations in your API are missing 406 responses. Operations should have 406 or default response defined if they do both of the following:

  • The operation defines a response that is not a 204 response.
  • The operation constrains the MIME type of the response.

For more details, see RFC 7231.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "responses": {
        "200": {
            "description": "pet response",
            "content": {
                "application/json": {
                    "schema": {
                        "$ref": "#/components/schemas/Pet"
                    }
                }
            }
        }
    }
}

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.

Remediation

Make sure that all operations that define a response that is not 204 and that constrain the MIME type of the response have the 406 response defined too.

{
    "responses": {
            "200": {
                "description": "pet response",
                "content": {
                    "application/json": {
                        "schema": {
                            "$ref": "#/components/schemas/Pet"
                        }
                    }
                }
        },
        // ...
        "406": {
            "description": "Not Acceptable",
            "content": {
                "application/json": {
                    "schema": {
                        "$ref": "#/components/responses/406"
                    }
                }
            }           
        }
    }
}