Authentication Security Best Practices

(6 reviews)

api-keys-in-query

general > api-keys-in-query

Guidance

Your API accepts API keys that are transported in query parameters over the network. Because the credentials are sent over
the network on each API call, they are repeatedly exposed to unauthorized attempts to retrieve them. Additionally,
the API key could become visible in the logs that web servers and proxies produce on URLs.

Message

API keys should not be transported in query parameters.

Examples

valid

components:
  securitySchemes:
    api_key:
      type: apiKey
      name: X-API-KEY
      in: header

invalid

components:
  securitySchemes:
    api_key:
      type: apiKey
      name: X-API-KEY
      in: query

Applies to SecurityScheme

Type	Ruleset
Organization	MuleSoft
Published by	MuleSoft Organization
Published on	Nov 29, 2023

Authentication Security Best Practices

api-keys-in-query

Guidance

Message

Examples

valid

invalid

Constraint

Type: Declarative Validation

Reviews

Asset versions for 1.1.x

Tags