security-defined

Verifies every operation or global security is defined.

OAS	Compatibility
2.0	✅
3.0	✅
3.1	✅

API design principles

"Where are the public APIs?"

Public APIs are all around us, but they generally still require security credentials to measure usage and prevent abuse.

Not defining security credentials is an indication that someone forgot something. What was it? Aha! We're letting you know here.

This is a good rule. Every API should have security defined. Even if the API is truly public without any credential required, define the empty security section to let people know you didn't forget.

Copy

Copied

# This API has no security
security: []

Configuration

Option	Type	Description
severity	string	Possible values: `off`, `warn`, `error`. Default `error` (in `recommended` configuration).

An example configuration:

Copy

Copied

rules:
  security-defined: error

Examples

Given this configuration:

Copy

Copied

rules:
  security-defined: error

Example of incorrect security definition due to mismatching security and security schemes:

Copy

Copied

security: 
  - OAuth: []
components:
  securitySchemes:
    JWT:
      type: http
      scheme: bearer
      bearerFormat: JWT

Example of correct security definition:

Copy

Copied

security: 
  - JWT: []
components:
  securitySchemes:
    JWT:
      type: http
      scheme: bearer
      bearerFormat: JWT

security-defined

API design principles

Configuration

Examples

Related rules

Resources