Forum Discussion

alex-savage's avatar
alex-savage
Occasional Contributor
5 years ago

Who's using Default Response?

Hi all!   I have been using APIsecurity.io OAS security audit tool this week and one of the risks it raised was a lack of default response on APIs: https://apisecurity.io/encyclopedia/content/oasv3...
  • alex-savage's avatar
    alex-savage
    5 years ago

    matjung Thanks for sharing. 

     

    I took it a step further and spoke with the team at API Security about what it is used for.

     

    They sell an API firewall (smart proxy linked to a Whitelist from the API Def) and it uses the "default response" as a special case in the event that the downstream service sends something that isnt in the API definition. 

    - API Def has that you could send a 401 and a 403 to clients, but the service sends a 409. In this event it doesn't match the white list so is not forward to the client and instead the default response is sent. 

     

    I think if your not using that, then the default case isn't of interest.

     

    Anyone else want to elaborate / share?