Authentication Security Best Practices

api-keys-in-header

general > api-keys-in-header

Guidance

Your API accepts API keys sent in cleartext in a header over an unencrypted channel. Attackers can easily intercept
API calls and retrieve the credentials. They can then use the credentials to make other API calls.

Message

API keys should not be sent in cleartext in a header over an unencrypted channel.

Examples

valid

openapi: 3.0.0
info:
  title: My API
  description: This is a sample API
  version: 1.0.0
servers:
  - url: https://api.example.com/v1

invalid

openapi: 3.0.0
info:
  title: My API
  description: This is a sample API
  version: 1.0.0
servers:
  - url: http://api.example.com/v1

Applies to Operation

Constraint

Type: Declarative Validation

Asset overview
Type	Ruleset
Organization	MuleSoft
Published by	MuleSoft Organization
Published on	Nov 29, 2023

Asset versions for 1.1.x

Asset versions
Version	Actions
1.1.0