Forum Discussion

alex-savage's avatar
alex-savage
Occasional Contributor
5 years ago

Who's using Default Response?

Hi all!

 

I have been using APIsecurity.io OAS security audit tool this week and one of the risks it raised was a lack of default response on APIs: https://apisecurity.io/encyclopedia/content/oasv3/datavalidation/responsedefinition/v3-response-default-undefined.htm

 

Currently I include the codes that I want to handle: 200, 401,403 perhaps a 500.. But have not tried the swagger Default response yet. 

 

Is anyone in the community using it and could share their thoughts on its best practice?

 

My POV is that its to cover a scenario where there is more than one http error condition and also when the client does something really bad (perhaps on purpose) and we have a case that captures that and prevents an uncaught being sent to a client (stack trace god forbid)

 

Be great to hear your thoughts/ usage. 

  • alex-savage's avatar
    alex-savage
    5 years ago

    matjung Thanks for sharing. 

     

    I took it a step further and spoke with the team at API Security about what it is used for.

     

    They sell an API firewall (smart proxy linked to a Whitelist from the API Def) and it uses the "default response" as a special case in the event that the downstream service sends something that isnt in the API definition. 

    - API Def has that you could send a 401 and a 403 to clients, but the service sends a 409. In this event it doesn't match the white list so is not forward to the client and instead the default response is sent. 

     

    I think if your not using that, then the default case isn't of interest.

     

    Anyone else want to elaborate / share?

     

     

  • matjung's avatar
    matjung
    New Contributor
    5 years ago

    I am outing myself as one of those guys who are not working with the default error response concept.

    Usually I only include 200 with content

    I tend to omit headers too.

    My source code outputs parts of the specification (paths+components/schemas).
    Up to now the readers of the specification (other developers+testers+operations) never complained about missing details.

    Attackers are certainly able to exploit APIs.

    Just swagger, yaml, oas, etc. won't protect systems from getting hacked.

    Given the bunch of tools around, I also have to reveal that I never heard about apisecurity.io

    It looks like it works in analogy to html, css validators

     

    • alex-savage's avatar
      alex-savage
      Occasional Contributor
      5 years ago

      matjung Thanks for sharing. 

       

      I took it a step further and spoke with the team at API Security about what it is used for.

       

      They sell an API firewall (smart proxy linked to a Whitelist from the API Def) and it uses the "default response" as a special case in the event that the downstream service sends something that isnt in the API definition. 

      - API Def has that you could send a 401 and a 403 to clients, but the service sends a 409. In this event it doesn't match the white list so is not forward to the client and instead the default response is sent. 

       

      I think if your not using that, then the default case isn't of interest.

       

      Anyone else want to elaborate / share?