Missing rate limit headers

owasp:api4:2019-rate-limit

Rule Severity:

High

Endpoints should use proper rate limiting to ensure service availability to all users.
This rule applies at the API Specification level (OAS/Swagger).
Include 'X-RateLimit-Limit', 'X-Rate-Limit-Limit', 'RateLimit-Limit' or 'RateLimit-Reset' in the HTTP headers to avoid unintended service disruption.
Developers incorporate headers such as 'X-RateLimit-Limit', 'X-Rate-Limit-Limit', 'RateLimit-Limit', and 'RateLimit-Reset' in HTTP responses to manage and communicate the rate limits of their API or web service to the client. By including these headers, developers give API consumers insight into how many requests they can make in a specified period, preventing unintentional breaches of the rate limit. They also allow API clients to implement adaptive strategies. With information about their remaining requests and when the rate limit will reset, clients can adjust their request patterns, spreading out their calls, or pausing until the rate limit resets, thereby avoiding any disruption to their operations. Additionally, rate limiting protects an API from being overwhelmed by too many requests, which could degrade the service quality for all users. By clearly communicating these limits, developers ensure a balanced distribution of resources among all consumers.

Example Attack Scenario

Resource Exhaustion: In the absence of rate limit headers, attackers can abuse endpoints that consume significant resources, such as generating complex reports or processing large datasets. Attackers can disrupt the availability of a service, degrade system performance, and exhaust server resources by continuously sending requests without limitations.

1. How to Identify with Example Scenario

get:
 responses:
  "201":
   description: ok
   # missing X-RateLimit-Limit, X-Rate-Limit-Limit, RateLimit-Limit, or RateLimit-Reset in the headers

1. How to Resolve with Example Scenario

get:
 responses:
  "201":
   description: ok
   headers:
    "X-RateLimit-Limit":
     schema:
      type: string
    "X-RateLimit-Reset": 
     schema: 
      type: string

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings