No schema defined in the header object

Issue ID: v3-header-schema-undefined

Average severity: Medium

Description

A header object does not define a schema for the accepted input or output. This means that you do not limit the what your API can accept or include in headers.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. Because the rate limiting header has no schema defined, it can include anything:

{
    "headers": {
        "X-Rate-Limit-Limit": {
            "description": "The number of allowed requests in the current period"
        }
    }
}

Possible exploit scenario

With response headers, you have to consider the output of the API. Your API has been designed to return specific data, but without schema, you do not limit what is accepted in response headers.

Attackers typically want to make the API to change its behavior and return different data than it is supposed to. A particular API failure might leak some other data, such as records or stack trace. Defining a schema for all header objects helps reduce this risk.

Remediation

Define schemas for all header objects to restrict what input or output is allowed. This provides an extra layer of safety ensuring that your API only returns data that you expect it to return.

{
    "headers": {
        "X-Rate-Limit-Limit": {
            "description": "The number of allowed requests in the current period",
            "schema": {
                "type": "integer",
                "minimum": 0,
                "maximum": 100,
                "format": "int32",
                "additionalProperties": false
            }
        }
    }
}