A set of rules to help enforce the OWASP Top Ten security guidelines. These guidelines are defined in OWASP Top 10 and the rules to help enforce them are defined in GitHub.
To add a public style guide:
Go to the Standardization page.
Click Add Public Style Guides.
Select an existing public style guide from the list in the Manage Public Style Guides modal window.
Add it to your set of rules on the Standardization page.
Note
Preview takes you to the style guide documentation pages.
You then can:
Use the style guide as-is to automatically lint your API files.
Disable individual rules that don't follow your organization's standards.
Customize severity of the rules to meet your needs.
The security scheme must not contain API Keys in query parameters.
API Keys are (usually opaque) strings that can be eavesdropped, especially when they are passed as URL parameters.
Invalid Example
The in:query setting makes this example invalid.
securitySchemes:
API Key:
name: API Key
type: apiKey
in: queryValid Example
The in:header makes this example valid.
securitySchemes:
API Key:
name: API Key
type: apiKey
in: headerPath parameters must use random IDs that cannot be guessed, such as UUIDs.
Invalid Example
In this example, the {userId} parameter has a type of integer.
paths:
'/users/{userId}':
parameters:
- schema:
type: integer
name: userId
in: path
required: true
description: Id of an existing user.Valid Example
In this example, the {userId} parameter has a type of string with a format of uuid.
paths:
'/users/{userId}':
parameters:
- schema:
type: string
format: uuid
name: userId
in: path
required: true
description: Id of an existing user.Security scheme must use a secure method.
negotiate and auth2 are considered to be insecure security schemes.
Invalid Example
This example is invalid because oauth is considered an insecure scheme.
securitySchemes:
Oauth1:
type: http
scheme: oauthValid Example
securitySchemes:
Bearer:
type: http
scheme: bearerSecurity scheme description must state that the implementation conforms with JSON Web Tokens RFC7519, the JSON Web Token standard.
Invalid Example
This example is invalid because RFC8726 is not included in the security scheme description.
JWTBearer:
type: oauth2
flows:
authorizationCode:
...
...
...
...
description: A bearer token in the format of a JWS.Valid Example
JWTBearer:
type: oauth2
flows:
authorizationCode:
...
...
...
...
description: A bearer token in the format of a JWS and conforms to the specifications included in RFC8725.Path parameter must not contain credentials, such as API key, password, or secret.
Invalid Example
This example is invalid because the path parameter includes a string with the name password.
paths:
'/user/{password}':
parameters:
- schema:
type: string
format: password
name: password
in: path
required: trueValid Example
Remove the invalid path parameter.
paths:
'/user/Security scheme must not use basic auth. Use a more secure authentication method, such as OAuth 2.0.
Invalid Example
securitySchemes:
basicAuth:
type: http
scheme: basicValid Example
securitySchemes:
OAuth2:
type: oauth2
flows:
...
...
...
...
...POST. PUT, PATCH, and DELETE operations must be protected by a security scheme at either the global level or operation level.
Security rules are defined in the securityScheme section.
Valid Example: Global
securitySchemes:
API Key:
name: API Key
type: apiKey
in: header
security:
- API Key: []*Valid Example: Operation
paths:
'/users/{userId}':
patch:
...
responses:
...
security:
- API Key: []Array size should be limited to mitigate resource exhaustion attacks. This can be done using maxItems. You should ensure that the subschema in items is constrained too.
Integers should be limited to mitigate resource exhaustion attacks. Specifying whether int32 or int64 is expected via format.
owasp:api4:2019-integer-limitArray size should be limited to mitigate resource exhaustion attacks. This can be done using maxItems. You should ensure that the subschema in items is constrained too.
Array size should be limited to mitigate resource exhaustion attacks. This can be done using maxItems. You should ensure that the subschema in items is constrained too.
Headers for 2xx and 4 xx responses must contain RateLimit-Limit, RateLimit-Reset, X-RateLimit-Limit, or X-Rate-Limit-Limit.
Proper rate limits avoid attackers overloading the API. There are many ways to implement rate-limiting, but most of them involve using HTTP headers, and there are two popular ways to do that:
IETF Draft HTTP RateLimit Headers:. https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/
Customer headers like X-Rate-Limit-Limit (Twitter: https://developer.twitter.com/en/docs/twitter-api/rate-limits) or X-RateLimit-Limit (GitHub: https://docs.github.com/en/rest/overview/resources-in-the-rest-api)
Invalid Example
The 200 response does not contain rate-limiting headers.
responses:
'200':
description: User Not FoundValid Example
The 200 response contains rate-limiting headers.
responses:
'200':
headers:
RateLimit-Limit:
description: The number of allowed requests in the current period.
schema:
type: integer
RateLimit-Reset:
description: The number of seconds left in the current period.
schema:
type: integerHeaders for 429 responses must contain Retry-After.
Invalid Example
'429':
description: Too Many Requests
headers:
RateLimit-Limit:
...
RateLimit-Reset:
...Valid Example
'429':
headers:
RateLimit-Limit:
...
RateLimit-Reset:
...
Retry-After:
description: The number of seconds to wait before allowing a follow-up request.
schema:
type: integerString size should be limited to mitigate resource exhaustion attacks. This can be done using maxLength.
To avoid unexpected values being sent or leaked, ensure that strings have either a format or a RegEx pattern. This can be done using format or pattern.
Operation must have a 401 response defined.
Invalid Example
get:
summary: Get User Info by User ID
tags: []
responses:
'200':
...
'400':
...
'501':
description: Bad Gateway
headers:
...Valid Example
get:
summary: Get User Info by User ID
tags: []
responses:
'200':
...
'400':
...
'429':
...
'401':
description: Not Authenticated
headers:
...Operation must have a response defined.
Invalid Example
get:
summary: Get User Info by User ID
tags: []
responses:
'200':
...
'400':
...
'501':
description: Bad Gateway
headers:
...Valid Example
get:
summary: Get User Info by User ID
tags: []
responses:
'200':
...
'400':
...
'429':
...
'500':
description: Internal Server Error
headers:
...Operation must have a 400, 422 or 4xx response defined.
Invalid Example
get:
summary: Get User Info by User ID
tags: []
responses:
'200':
...
'404':
description: User Not Found
headers:
...Valid Example
get:
summary: Get User Info by User ID
tags: []
responses:
'200':
...
'404':
description: User Not Found
headers:
...Operation must have a 429 response defined.
Invalid Example
get:
summary: Get User Info by User ID
tags: []
responses:
'200':
...
'400':
...
'431':
description: Request Header Fields Too Large
headers:
...Valid Example
get:
summary: Get User Info by User ID
tags: []
responses:
'200':
...
'400':
...
'429':
description: Too Many Requests
headers:
...By default JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation.
Object should not allow for additional properties, which can allow unspecified fields passed to the API without validation.
Invalid Example
In this example, additionalProperties are allowed on the object.
schemas:
User:
type: object
title: User
additionalProperties: true
properties:
id:
type: integer
firstName:
type: string
lastName:
type: stringValid Example
In this example, additionalProperties are not allowed on the object.
schemas:
User:
type: object
title: User
description: ''
additionalProperties: false
properties:
id:
type: integer
firstName:
type: string
lastName:
type: stringGET and HEAD operations should be protected by a security scheme at either the global level or operation level.
Security rules are defined in the securityScheme section.
Invalid Example: Global
securitySchemes:
API Key:
name: API Key
type: apiKey
in: header
security:
- API Key: []Valid Example: Operation
paths:
'/users/{userId}':
get:
...
responses:
...
security:
- API Key: []POST, PATCH, DELETE, and PUT operations should be protected by a security scheme at either the global level or operation level.
Security rules are defined in the securityScheme section.
Invalid Example
The PATCH operation has an empty security value so it is not protected.
paths:
'/users/{userId}':
patch:
...
responses:
...
security:
- []Valid Example
The PATCH operation is protected by the API Key. As an alternative, remove the empty security setting at the operation level and use global security.
paths:
'/users/{userId}':
patch:
...
responses:
...
security:
- API Key: []