Authentication Security Best Practices

(6 reviews)

api-keys-in-cookie

general > api-keys-in-cookie

Guidance

Your API accepts API keys that are transported in a header over the network. Because the credentials are sent over
the network on each API call, they are repeatedly exposed to unauthorized attempts to retrieve them.

Message

API keys should not be transported in cookies.

Examples

valid

components:
  securitySchemes:
    api_key:
      type: apiKey
      name: X-API-KEY
      in: header

invalid

components:
  securitySchemes:
    api_key:
      type: apiKey
      name: X-API-KEY
      in: cookie

Applies to SecurityScheme

Constraint

Type: Declarative Validation

Reviews

Asset overview
Type	Ruleset
Organization	MuleSoft
Published by	MuleSoft Organization
Published on	Nov 29, 2023

Asset versions for 1.1.x

Asset versions
Version	Actions
1.1.0