security-defined

Verifies every operation or global security is defined.

OAS Compatibility
2.0
3.0
3.1

API design principles

"Where are the public APIs?"

Public APIs are all around us, but they generally still require security credentials to measure usage and prevent abuse.

Not defining security credentials is an indication that someone forgot something. What was it? Aha! We're letting you know here.

This is a good rule. Every API should have security defined. Even if the API is truly public without any credential required, define the empty security section to let people know you didn't forget.

Copy
Copied
# This API has no security
security: []

Configuration

Option Type Description
severity string Possible values: off, warn, error. Default error (in recommended configuration).

An example configuration:

Copy
Copied
rules:
  security-defined: error

Examples

Given this configuration:

Copy
Copied
rules:
  security-defined: error

Example of incorrect security definition due to mismatching security and security schemes:

Copy
Copied
security: 
  - OAuth: []
components:
  securitySchemes:
    JWT:
      type: http
      scheme: bearer
      bearerFormat: JWT

Example of correct security definition:

Copy
Copied
security: 
  - JWT: []
components:
  securitySchemes:
    JWT:
      type: http
      scheme: bearer
      bearerFormat: JWT

Related rules

Resources