cancel
Showing results for 
Search instead for 
Did you mean: 

Who's using Default Response?

SOLVED
Highlighted
Occasional Contributor

Who's using Default Response?

Hi all!

 

I have been using APIsecurity.io OAS security audit tool this week and one of the risks it raised was a lack of default response on APIs: https://apisecurity.io/encyclopedia/content/oasv3/datavalidation/responsedefinition/v3-response-defa...

 

Currently I include the codes that I want to handle: 200, 401,403 perhaps a 500.. But have not tried the swagger Default response yet. 

 

Is anyone in the community using it and could share their thoughts on its best practice?

 

My POV is that its to cover a scenario where there is more than one http error condition and also when the client does something really bad (perhaps on purpose) and we have a case that captures that and prevents an uncaught being sent to a client (stack trace god forbid)

 

Be great to hear your thoughts/ usage. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Occasional Contributor

Re: Who's using Default Response?

@matjung Thanks for sharing. 

 

I took it a step further and spoke with the team at API Security about what it is used for.

 

They sell an API firewall (smart proxy linked to a Whitelist from the API Def) and it uses the "default response" as a special case in the event that the downstream service sends something that isnt in the API definition. 

- API Def has that you could send a 401 and a 403 to clients, but the service sends a 409. In this event it doesn't match the white list so is not forward to the client and instead the default response is sent. 

 

I think if your not using that, then the default case isn't of interest.

 

Anyone else want to elaborate / share?

 

 

View solution in original post

2 REPLIES 2
Highlighted
New Contributor

Re: Who's using Default Response?

I am outing myself as one of those guys who are not working with the default error response concept.

Usually I only include 200 with content

I tend to omit headers too.

My source code outputs parts of the specification (paths+components/schemas).
Up to now the readers of the specification (other developers+testers+operations) never complained about missing details.

Attackers are certainly able to exploit APIs.

Just swagger, yaml, oas, etc. won't protect systems from getting hacked.

Given the bunch of tools around, I also have to reveal that I never heard about apisecurity.io

It looks like it works in analogy to html, css validators

 

Highlighted
Occasional Contributor

Re: Who's using Default Response?

@matjung Thanks for sharing. 

 

I took it a step further and spoke with the team at API Security about what it is used for.

 

They sell an API firewall (smart proxy linked to a Whitelist from the API Def) and it uses the "default response" as a special case in the event that the downstream service sends something that isnt in the API definition. 

- API Def has that you could send a 401 and a 403 to clients, but the service sends a 409. In this event it doesn't match the white list so is not forward to the client and instead the default response is sent. 

 

I think if your not using that, then the default case isn't of interest.

 

Anyone else want to elaborate / share?

 

 

View solution in original post

New Here?
Join us and watch the welcome video:
Announcements