Forum Discussion

adurthisridhar's avatar
9 months ago

API keys transported in a header over network

Hi Team,

 

I have followed the swagger 2.0 for preparing my swaggers. I was trying to code the apikey authentication in my swaggers. I have followed the below document

https://swagger.io/docs/specification/2-0/authentication/api-keys/

 

I have used the code as below in security definitions

securityDefinitions:
  authorization:
    type: apiKey
    name: Authorization
    in: header

 and defined the auth as below

security:
  - authorization: []

 but getting the error as below

Operation accepts API keys transported in a header over network (score impact less than 1)

 also for few of the operations like OPTIONS, I dont require authorization at all. In that case, I was using as below

security: []

 and ending up with below error

The security section of the operation 'options' contains an empty array (score impact less than 1)

 Any help would be appriciated.

1 Reply

  • Hey adurthisridhar,

     

    Are you using third-party API security scanning tools here in conjunction with your Swagger definitions?

    If so, then please refer to the configuration options of those tools to ensure conformity etc.

    In general, the reason the warning/scan errors above for APIKeys is because they are regarded as less secure than other more secure authentication methods, like OAuth 2.0, which issue tokens that have a limited lifetime.

     

    Cheers,

    Frank