operation-security-defined

operation-security-defined

Warn if OpenAPI operation does not have any sequrity requirements.

Rule Details

Operations may restrict access to themselves. Specifying this in OpenAPI contracts helps users of the API to understand the security measures and manage their requests accordingly.

This rule checks every operation in an OpenAPI contract and warns when an operation does not have security requirements defined. This includes cases:

Configuration

None.

Examples

Good. Operation inherits non-empty security requirements defined globally.

paths:
  /users:
    get:
      responses:
        "200":
          description: A list of users.
security:
  - api_key: []
components:
  securitySchemes:
    api_key: ...

Good. Operation defines its own security requirements.

paths:
  /users:
    get:
      security:
        - api_key: []
      responses:
        "200":
          description: A list of users.
components:
  securitySchemes:
    api_key: ...

Bad. Neither OpenAPI schema, nor operation define security requirements

paths:
  /users:
    get:
      responses:
        "200":
          description: A list of users.
components: ...

Bad. An operation resets security requirements to an empty set

paths:
  /users:
    get:
      security: []
      responses:
        "200":
          description: A list of users.
components:
  securitySchemes:
    api_key: ...

When Not to Use It

You may disable this rule when your API does not restrict access to itself in any way.

Compatibility

This rule is compatible with all OpenAPI 3.x versions.

← Back to Index