Forum Discussion

alex-savage's avatar
alex-savage
Occasional Contributor
5 years ago

Who's using Default Response?

Hi all!   I have been using APIsecurity.io OAS security audit tool this week and one of the risks it raised was a lack of default response on APIs: https://apisecurity.io/encyclopedia/content/oasv3...
  • alex-savage's avatar
    alex-savage
    5 years ago

    matjung Thanks for sharing. 

     

    I took it a step further and spoke with the team at API Security about what it is used for.

     

    They sell an API firewall (smart proxy linked to a Whitelist from the API Def) and it uses the "default response" as a special case in the event that the downstream service sends something that isnt in the API definition. 

    - API Def has that you could send a 401 and a 403 to clients, but the service sends a 409. In this event it doesn't match the white list so is not forward to the client and instead the default response is sent. 

     

    I think if your not using that, then the default case isn't of interest.

     

    Anyone else want to elaborate / share?

     

     

matjung's avatar
matjung
New Contributor
5 years ago

I am outing myself as one of those guys who are not working with the default error response concept.

Usually I only include 200 with content

I tend to omit headers too.

My source code outputs parts of the specification (paths+components/schemas).
Up to now the readers of the specification (other developers+testers+operations) never complained about missing details.

Attackers are certainly able to exploit APIs.

Just swagger, yaml, oas, etc. won't protect systems from getting hacked.

Given the bunch of tools around, I also have to reveal that I never heard about apisecurity.io

It looks like it works in analogy to html, css validators

 

  • alex-savage's avatar
    alex-savage
    Occasional Contributor
    5 years ago

    matjung Thanks for sharing. 

     

    I took it a step further and spoke with the team at API Security about what it is used for.

     

    They sell an API firewall (smart proxy linked to a Whitelist from the API Def) and it uses the "default response" as a special case in the event that the downstream service sends something that isnt in the API definition. 

    - API Def has that you could send a 401 and a 403 to clients, but the service sends a 409. In this event it doesn't match the white list so is not forward to the client and instead the default response is sent. 

     

    I think if your not using that, then the default case isn't of interest.

     

    Anyone else want to elaborate / share?