OWASP API Security Top 10 2019 Checklist

general > broken-user-authentication-authenticate-api

Guidance

Know all the possible flows to authenticate to the API (mobile/ web/deep links that implement
one-click authentication/etc.).

Message

Security scheme must be applied at global or operation level.

Examples

valid

get:
  description: Get a list of users
  securedBy: [myAuth]
  responses:
    200:

invalid

#%RAML 1.0
title: Secure API Example
types:
  Person:
    properties:
      name: string
/users:
  get:
    responses:
      200:
          body:
            application/json:
              type: Person

Applies to Operation

Constraint

Type: Declarative Validation