Response that should not contain a body has a schema defined

Issue ID: v3-response-schema-defined

Average severity: Medium

Description

You have defined a schema for one or more responses that should not contain a body:

  • The operation in question is HEAD (no content allowed for HEAD responses), see RFC 7231.
  • The returned HTTP status code is 204 or 304 (no content allowed for these codes), see RFC 7231 and RFC 7232.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "responses": {
        "204": {
            "description": "No content",
            "schema": {
                "content": {
                    "application/json": {
                        "schema": {
                            "$ref": "#/components/schemas/Pets"
                        }
                    }
                }
            }
        }
    }
}

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.

Remediation

Remove the schema for all responses that should not contain a body.

{
    "responses": {
        "204": {
            "description": "No content"
        }
    }
}