Reusable security scheme is not defined

Issue ID: v3-global-securitydefinitions-undefined

Average severity: High

Description

Reusable security schemes in #/components/securitySchemes has not been defined. This specifies how API clients must authenticate to use your API's operations.

For more details, see the OpenAPI Specification.

Example

The securitySchemes field could be missing altogether, or the field could be empty, with no security schemes specified:

{
    "components": {
        "securitySchemes": {
        }
    }
}

Possible exploit scenario

Without any reusable security schemes, your API does not globally specify any authentication method for consuming the API operations. This means that anyone can use API operations as long as they know the URLs of the operations and how to invoke them.

This sometimes happens to internal APIs. These are often created only to be used inside the company web pages and mobile applications. No one expects any outsiders to know that the API exists, so developers do not spend time implementing security.

But attackers can look at the code of the mobile or web application, or listen to the API traffic, and reverse engineer how the API works. Once the attackers have figured this out, they can start using the API because it does not require any authentication.

Remediation

First, define the security schemes in #/components/securitySchemes:

{
    "components": {
        "securitySchemes": {
            "api_key1": {
                "type": "apiKey",
                "name": "X-Api_Key",
                "in": "header"
            }
        }
    }
}

Then, use the global security field to set your API to require authentication:

{
    "security": {
        "api_key1": []
    }
}