schema-no-additional-properties

schema-no-additional-properties

This rule ensures that schema objects of type “object” explicitly forbid additional properties.

Rule Details

Allowing additional properties can lead to inconsistencies in the API’s structure, as well as to security risks. If a malicious actor can inject unsupported fields into an API request, and it will not be validated, the server may function incorrectly.

The schema-no-additional-properties rule is designed to ensure that all schema objects of type “object” explicitly forbid additional properties. This is done by checking if the additionalProperties field is set to false.

Configuration

None.

Examples

Good.

components:
  schemas:
    User:
      type: object
      properties:
        firstName:
          type: string
        lastName:
          type: string
      additionalProperties: false

Bad. The User schema object does not forbid additional properties.

components:
  schemas:
    User:
      type: object
      properties:
        firstName:
          type: string
        lastName:
          type: string

When Not to Use It

We recommend to always enable this rule.

Compatibility

This rule is compatible with all OpenAPI 3.x versions.

← Back to Index