'Security' field contains an empty array

Issue ID: v3-global-securityrequirement-emptyarray

Average severity: High

Description

The security field of your API contract does not list any security schemes to be applied. Instead, it just contains an empty array.

The top-level security field of the OpenAPI contract contains an array of the security schemes applied to the whole API. The list of values describes alternative security schemes that can be used. There is a logical OR between the security requirements. Individual operations can override the top-level security in the operation-level security fields if needed.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. An empty array in the security field does not apply any security scheme, and thus does not protect the API:

{
    // ... 
    "info": {
        "title": "Petstore API"
    },
    "paths": {
        // ...
    },
    "security": [
    ]
}

Possible exploit scenario

Even though you can apply security schemes directly to individual operations, it is strongly recommended that you define your default security schemes on the API level. The operation-level security is meant to be used as an exception-handling mechanism only, not as a best practice.

Relying on defining security only on each operation individually is an error-prone approach. It is very easy to forget to set security when you add a new method to the API. If there is no global default security defined, the operation is left wide open for an attacker to invoke without any authentication required.

Remediation

Make sure you define default security on the global level for the whole API, and only define exceptions to this on the operation level, if needed.

{
    "security": [
        {
            "OAuth2": ["readOnly"]
        }
    ],
    // ...
    "servers": [
        {
            "url": "https://my.api.server.com/",
            "description": "API server"
        }
    ],
    // ...  
    "components": {
        "securitySchemes": {
            "OAuth2": {
                "type": "oauth2",
                "flows": {
                    "authorizationCode": {
                        "scopes": {
                            "readOnly": "read objects in your account"
                        },
                        "authorizationUrl": "https://example.com/oauth/authorize",
                        "tokenUrl": "https://example.com/oauth/token" 
                    }
                }
            }
        }
    }
}