POST, PUT, PATCH, and DELETE methods can modify data, change the state of or entirely delete resources. Without proper security measures, malicious actors could exploit these endpoints to introduce unauthorized changes, delete important data, or compromise the integrity of an API. Furthermore, unprotected API operations can lead to data breaches, which not only harm the reputation of the affected organization but can also result in legal and financial repercussions. By implementing security rules, developers can control who has access to these operations and under what conditions, ensuring that only authorized users can make changes and that the system remains secure and reliable. Authentication, authorization, rate limiting, and data validation are just a few examples of security rules that can be implemented.
This rule applies at the API Specification level (OAS/Swagger).
Unauthorized Access: Missing global security controls may allow unauthorized users or attackers to gain access to sensitive resources, functionalities, or data within the system. This could include accessing administrative interfaces, sensitive configuration files, or critical system components without proper authentication or authorization.