Missing retry header

owasp-rate-limit-retry-after

Type:

Finding

Rule Severity:

Info

Ensure that APIs returning 429 responses contain a Retry-After header.

When an API returns a 429 Too Many Requests response, it typically indicates that the client has sent too many requests in a given amount of time. This is often seen with rate-limited APIs. Adding the Retry-After header to a 429 response provides additional information about when the client can safely make a new request without getting throttled. This helps in clearly communicating to the client how long they should wait before making another request. Without it, clients might continue to hit the endpoint, exacerbating the rate-limiting issue. Clients can programmatically detect the Retry-After header and adjust their request intervals accordingly. This leads to fewer errors and more efficient interactions with the API.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Ensure the Retry-After header is present in 429 responses. Define proper rate limiting to avoid attackers overloading the API. Part of that involves setting a Retry-After header so well meaning consumers are not polling and potentially exacerbating problems.

Example Attack Scenario

Distributed Denial of Service (DDoS )Amplification Attacks: Hackers can exploit the absence of a Retry header to amplify (DDoS) attacks through amplification techniques. In the absence of guidance on retry timing, malicious actors can repeatedly bombard vulnerable servers with requests, depleting resources and potentially leading to service degradation or downtime.

How to Identify with Example Scenario

responses:  
 '429':    
  description: 
   Rate limit exceeded    # Missing Retry-After header

How to Resolve with Example Scenario

responses:
 '429':
  description: 
   Rate limit exceeded
  headers:      
   Retry-After:        
    description: 
     Indicates how long the client should wait before making a follow-up request.        
    schema:          
     type: string 
     # example: 'Mon, 7 Aug 2023 07:28:00 GMT'
     # optionally add examples for both date and delay-seconds        
     examples:          
      http-date:            
       value: 'Mon, 7 Aug 2023 07:28:00 GMT'          
       delay-seconds:            
        value: '120'

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Unrestricted string
Insecure host (OAS2)
Credentials in URL
Circular references
CVE detected
Authentication removed