Audit API security

Whenever you import an API to the 42Crunch Platform, API Security Audit automatically audits the OpenAPI definition to check the following:

  • OpenAPI format: Is your API a valid and well-formed OpenAPI file, and does it follow the best practices and the spirit of the OpenAPI Specification? Can it be correctly parsed, reviewed, or protected?
  • Security: How good are the security definitions in your API? Have you defined authentication and authorization methods, and is your chosen protocol secure enough?
  • Data validation: What is the data definition quality of your API? How well have you defined what data your API accepts as input or can include in the output it produces, and how strong are the schemas you have defined for your API and its parameters?

Both OpenAPI Specification v2 and v3 are supported. The file size of your API should not exceed 10 MB.

View audit reports

You can check how many and what kind of issues Security Audit found in your API definition, as well as where they are located in the API definition. The report also shows how critical each issue is in terms of API security, so you can prioritize what to fix first.

  1. Click API collections, and click the name of the API collection you want. You can see the APIs in the collection and their status at a glance.
  2. Locate the API you want, and click the number of found issues in the Security Audit column to open the audit report. You can see, for example:
    • The audit score
    • The most common issues that the audit found in your API and how many times they occurred
    • Which issues would increase the security of your API definition the most (and consequently add most points to your audit score) if fixed

  3. Click on the links in the summary, or use the filters on the left to drill into the results.
  4. To see a list of all found issues instead of the overview, click Issues above the filter panel.
  5. Click on the found issues to show articles that provide the issue ID of the audit check and more details on the issue as well as recommendations on how fix it.
  6. To jump to Security Editor to edit your API, click Fix issue in Security Editor.

For more details on fixing the issues that Security Audit found, see Fix APIs.

Export audit report

You can export an audit report from 42Crunch Platform, for example, to share with others.

  1. Go to audit report you want to export, and click Issues.
  2. Click , and choose if you want to download the report as a JSON file, or copy the report on clipboard for pasting.

We recommend you treat the exported audit report as company-confidential information and store it safely, because it can reveal information on security risks in your APIs to outsiders.

Start audit manually

Whenever you import an API to the 42Crunch Platform, API Security Audit automatically audits the OpenAPI definition. You can also manually kick off a new audit on an API that you have already imported to the platform.

  1. Find the API you want to audit.

    The quickest way to find API definitions in 42Crunch Platform is to click Find API in the main menu.

  2. Click > Start Security Audit.

You can also rerun the audit from the audit report page.

Run audit without authentication checks

If one or more of the operations in your API does not need authentication, you can add the extension x-42c-no-authentication to these operations and switch off authentication checks from Security Audit.

The extension x-42c-no-authentication has no any effect if your API definition or operation includes the security field. Security Audit keeps running the authentication checks as long as the field is present.

  1. Click the API you want, and go to the Security Editor tab.
  2. To switch off security checks for a particular operation, add the extension to that operation in the API definition:
    "get": {
        "summary": "List all pets",
        "operationId": "listPets",
        "x-42c-no-authentication": true,
        "tags": [
            "pets"
            ],
        ...
  3. To switch off authentication checks for the whole API, add the extension on the global level of the API definition:
    {
      "openapi: "3.0.0",
      "x-42c-no-authentication": true,
      "info": {
        "version": "1.0.0",
        ...
  4. Click Save and re-test to update the API definition and run Security Audit again.

You can see that the overall audit score and the score for security change as authentication checks are removed:

The image shows how removing authentication checks has raised the overall and security scores for the API.

Other security checks are still run normally and continue to reduce points.

Remember that the increased score is the result of disabling checks, your API has not suddenly become more secure. We recommend you only use the extension on APIs and operations that really do not need authentication.

For more details, see x-42c-no-authentication.

Declare mTLS for audit score

If your API is using mutual TLS (mTLS) authentication, you can declare that in your OpenAPI definition with the vendor extension x-42c-mtls so that Security Audit can take this into account when it calculates the audit score.

You can add the extension to your API globally at the top level, or locally to individual operations if the whole API is not using mTLS.

  1. Click the API you want, and go to the Security Editor tab.
  2. To declare mTLS on a particular operation, add the extension to that operation in the API definition:
    "get": {
        "summary": "List all pets",
        "operationId": "listPets",
        "x-42c-mtls": true,
        "tags": [
            "pets"
            ],
        ...
  3. If the whole API uses mtLS, add the extension on the global level of the API definition:
    {
      "openapi: "3.0.0",
      "x-42c-mtls": true,
      "info": {
        "version": "1.0.0",
        ...
  4. Click Save and re-test to update the API definition and run Security Audit again.

The audit algorithm now takes into account the added protection from mTLS and your security score increases.

For more details, see x-42c-mtls

Specify sensitivity level

Define how sensitive API operations in your API definition are and how severe security risk is involved. Specifying a sensitivity level affects how the audit score is calculated for your API: an issue occurring in an operation marked to be more sensitive weighs more in the audit and reduces more points from the audit score than the same issue occurring in a less sensitive operation. This lets you to fine-tune Security Audit to better reflect the associated risks.

You can add the extension on the top level of your API to define the sensitivity level globally for the whole API, or locally to individual operation or responses. Local sensitivity levels override the global sensitivity.

  1. Click the API you want, and go to the Security Editor tab.
  2. Locate the operation you want in your OpenAPI definition, add the extension to that operation, and specify the sensitivity level, from 1 (not sensitive) to 5 (critical):
    "post": {
        "summary": "Creates a new admin user",
        "operationId": "addAdmins",
        "x-42c-sensitivity": 5,
        "tags": [
            "users"
            ],
        ...
  3. Click Save and re-test to update the API definition and run Security Audit again.

In the following example, a login operation has been defined as a highly sensitive one. You can see how the increased sensitivity also increases the impact of the issue and how more points are reduced from the audit score:

For more details, see x-42c-sensitivity.

Instead of (or in addition to) the sensitivity of the operation, if you want to specify how sensitive data is included in a particular schema or parameter (for OAS v2 only), you can add the extension x-42c-sensitivity-data to the schema or parameter objects like x-42c-sensitivity to operation objects. See x-42c-sensitivity-data.