Ensure API specifications include definitions for 401 responses.
This rule applies at the API Specification level (OAS/Swagger).
APIs endpoints that do not return HTTP status codes descriptions are more difficult to use for developers. Adding standard responses to API specifications ensures use of those APIs is predictable and safe.
Consistent and well-documented HTTP status codes in API specifications play a vital role in the usability and understanding of an API. When developers consume an API, clear status code definitions save them time and reduce the risk of misinterpreting a response. HTTP 401, in particular, signifies that the requester has not provided the credentials necessary to view the resource. This is a common response in APIs, especially those that require authentication.
Example Attack Scenario
Security Misconfiguration Exploitation: The absence of a 401 response may indicate a broader security misconfiguration in the API or its authentication mechanisms, which attackers can exploit to gain unauthorized access or compromise the system.