| V-274497 | | The API must encrypt data in transit. | An API must ensure sensitive tokens, including both internal and user-specific tokens, are transmitted over secure channels using HTTPS to protect the... |
| V-274507 | | The API must be configured to use approved authorizations for access control. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-274517 | | The API must enable monitoring and alerts. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, o... |
| V-274519 | | The API Gateway must generate audit records when successful/unsuccessful attempts to access privileges occur. | The API Gateway must generate audit records when successful or unsuccessful attempts to access privileges occur to ensure security, accountability, an... |
| V-274520 | | The API must generate audit records when successful/unsuccessful attempts to access privileges occur. | The API must generate audit records when successful or unsuccessful attempts to access privileges occur to ensure security, traceability, and accounta... |
| V-274522 | | The API Gateway must generate audit records of what type of events occurred. | By recording the details of each event, the gateway can track and log specific actions such as authentication attempts, authorization checks, request ... |
| V-274523 | | The API must monitor the usage of API keys to detect any anomalies. | Monitoring the usage of API keys to detect anomalies is crucial for maintaining security, preventing abuse, and ensuring only authorized users or appl... |
| V-274524 | | The API must generate audit records of what type of events occurred. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, o... |
| V-274525 | | The API must audit rate-limiting events. | The API must audit rate-limiting events to ensure security, system stability, and fair resource usage. Rate limiting is essential for protecting the A... |
| V-274526 | | The API Gateway must audit rate limiting events. | The API Gateway must audit rate-limiting events to ensure robust security, performance, and compliance across all APIs it manages. Rate-limiting is a ... |
| V-274527 | | The API Gateway must audit authentication and authorization information. | The API Gateway must audit authentication and authorization information to ensure robust security, compliance, and accountability in access control. A... |
| V-274528 | | The API must audit authentication and authorization information. | The API must audit authentication and authorization information to ensure proper security, accountability, and compliance. Auditing authentication and... |
| V-274529 | | The API Gateway must audit exceptions and errors that occur during the processing. | The API gateway must audit exceptions and errors that occur during processing to ensure robust security, reliable performance, and effective troublesh... |
| V-274530 | | The API must audit exceptions and errors that occur during the processing. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, o... |
| V-274531 | | The API Gateway must audit execution time and performance metrics. | The API Gateway must audit execution time and performance metrics to ensure efficient traffic management, optimize resource usage, and maintain a high... |
| V-274532 | | The API must audit execution time and performance metrics. | The API must audit execution time and performance metrics to ensure optimal operation, detect bottlenecks, and maintain a high level of service reliab... |
| V-274533 | | The API Gateway must audit request and response details (such as method, URL, headers, body, status, etc.). | The API Gateway must audit request and response details to ensure robust security, efficient troubleshooting, and compliance with regulations. As the ... |
| V-274534 | | The API must audit request and response details (such as method, URL, headers, body, status, etc.). | By logging request and response data, the API can track the flow of information between clients and the system, providing a detailed audit trail that ... |
| V-274537 | | All defined API elements must be documented. | All defined API elements and their security-relevant configurations must be documented and enforced, ensuring compliance with the organization's appro... |
| V-274556 | | API keys must be configured with usage restrictions. | Requiring every API key to have restrictions for both the applications and the specific set of APIs minimizes the attack surface and ensures that each... |
| V-274557 | | The API must limit the exposure of endpoints. | Exposing too many API endpoints, which are specific URLs or paths that allow clients to interact with various functions or data within the system, inc... |
| V-274559 | | The API must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-274600 | | The API must protect Session IDs via encryption. | Encrypting Session IDs protects them from interception and unauthorized access, preventing session hijacking and ensuring the confidentiality and inte... |
| V-274603 | | The API keys must be securely generated using a FIPS-validated Random Number Generator (RNG). | Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session ident... |
| V-274606 | | The API implementation must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of API keys. | Confidentiality and integrity protections are intended to address the confidentiality and integrity of system information at rest (e.g., network devic... |
| V-274612 | | The API must employ throttling. | The API must employ throttling to limit the effects of information flooding types of denial-of-service (DoS) attacks. DoS is a condition when a resour... |
| V-274613 | | The API must specify allowed origins when using Cross-Origin Resource Sharing (CORS). | Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process ... |
| V-274615 | | The API must not disclose sensitive data in error messages. | Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure... |
| V-274643 | | Access to API privileged features and functions must be restricted. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary ... |
| V-274672 | | The API must require periodic reauthentication. | Without reauthentication, resources may be accessed without authorization.
When APIs provide the capability to change security roles or escalate the... |
| V-274677 | | The API must have a mechanism for cache invalidation when using cache policy data. | Temporarily storing (caching) information like access control rules or system configuration policies in memory or a local store allows the system to a... |
| V-274678 | | When stateless authentication tokens are used, the API must configure them with appropriate security settings. | When stateless authentication tokens (e.g., JSON Web Tokens [JWT]) are used by implementing shared libraries associated with a microservice, security ... |
| V-274679 | | The API's internal authorization tokens must not be provided back to the user. | An API's internal authorization tokens must not be provided back to the user because exposing these tokens increases the risk of unauthorized access t... |
| V-274680 | | API access tokens must be configured to expire. | API access tokens are short-lived credentials used to authenticate and authorize API requests. They are included in request headers to grant access to... |
| V-274681 | | API refresh tokens must be configured to expire. | By setting an expiration date on refresh tokens, the potential for abuse of a leaked token is reduced. Additionally, limiting their lifespan ensures t... |
| V-274682 | | The API must enforce per-client rate limits. | Configuring rate limits on API keys helps prevent abuse, mitigates denial-of-service attacks, and ensures fair usage of resources by restricting the n... |
| V-274697 | | Clients must be configured to route requests through a single API gateway that enforces the association and transmission of organization-defined security attributes with each request. | Using a single API gateway URL for all client communications centralizes key aspects of security management, such as authentication, rate limiting, an... |
| V-274707 | | The API must use a gateway. | API Gateway acts as a centralized point for managing and securing API traffic, enhancing the overall security posture of an API ecosystem.
The API G... |
| V-274712 | | The API must audience-restrict access tokens in accordance with organization-defined identification and authentication policy. | An API must audience-restrict access tokens to ensure tokens can only be used by the intended recipient or service. Audience restriction involves embe... |
| V-274714 | | The API must use parameterized queries. | A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintend... |
| V-274715 | | The API must provide input validation. | A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintend... |
| V-274723 | | The API must authenticate remote commands. | Authentication safeguards for remote commands help to ensure that information systems accept and execute, in the order intended, only authorized comma... |
| V-274767 | | The API must encode outputs. | Output encoding ensures data sent from an API is properly formatted and does not cause unintended effects on the receiving end.
Requiring an API to ... |
| V-274768 | | The API must use a static type of system. | By enforcing strict type checks at compile time, a static type of system ensures that data passed between functions or components is validated against... |
| V-274769 | | The API must use Web Application Firewall (WAF). | The API must be protected by a Web Application Firewall (WAF) or an API Gateway that monitors and filters incoming and outgoing traffic to prevent inj... |
| V-274783 | | The API must use a FIPS-validated cryptographic module to provision digital signatures for tokens. | FIPS 140-2/140-3 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within federal systems. ... |
| V-274785 | | API services identified within the system as unnecessary and/or nonsecure must be disabled. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary AP... |
| V-274830 | | The API must provide protected storage for API keys. | API key exposure introduces security vulnerabilities to hosted applications.
Store API keys securely, avoiding plaintext storage.
Avoid plain text ... |
| V-274835 | | API must use a circuit breaker pattern to handle failures and timeouts. | A circuit breaker pattern is essential in APIs to prevent cascading failures and improve system resilience. It monitors API calls and temporarily bloc... |
| V-274839 | | Cryptographic keys that protect access tokens must be protected. | Cryptographic keys are used to sign and verify access tokens, ensuring they have not been tampered with and that the user or service presenting the to... |
| V-274840 | | The API must protect the private keys used to sign assertions and tokens. | Private keys are used to sign tokens and assertions, which verify the identity and permissions of users or systems requesting access. If these keys ar... |
| V-274841 | | Generating assertions must be restricted. | An API may be required to generate assertions when it plays a role in authentication, authorization, or secure data exchange. In protocols like SAML o... |
| V-274842 | | The API must issue assertions in accordance with organization-defined identification and authentication policy. | An API must issue assertions when it acts as an identity provider or plays a role in secure authentication and authorization processes. Assertions are... |
| V-274843 | | The API must refresh assertions in accordance with organization-defined identification and authentication policy. | An API must refresh assertions to maintain secure, uninterrupted access while ensuring that authentication and authorization remain valid over time. A... |
| V-274844 | | The API must revoke assertions in accordance with organization-defined identification and authentication policy. | An API must revoke assertions to immediately terminate access when a user's credentials are compromised, their permissions change, or their session is... |
| V-274845 | | The API must time-restrict assertions in accordance with organization-defined identification and authentication policy. | An API must time-restrict assertions to minimize security risks and ensure access to protected resources is granted only within a valid and controlled... |
| V-274846 | | The API must audience-restrict assertions in accordance with organization-defined identification and authentication policy. | An API must audience-restrict assertions to ensure the information or access granted by a token is only usable by its intended recipient. Assertions l... |
| V-274847 | | The API must generate access tokens in accordance with organization-defined identification and authentication policy. | An API must generate access tokens to securely manage authentication and authorization directly within the application. Access tokens, such as JWTs or... |
| V-274848 | | The API must issue access tokens in accordance with organization-defined identification and authentication policy. | An API must issue access tokens to independently handle authentication and authorization for securing access to its resources. By issuing access token... |
| V-274849 | | The API must refresh access tokens in accordance with organization-defined identification and authentication policy. | An API must refresh access tokens to maintain secure, uninterrupted access while minimizing the risk of token misuse or expiration. Access tokens typi... |
| V-274850 | | The API must revoke access tokens in accordance with organization-defined identification and authentication policy. | An API must revoke access tokens to immediately terminate access when a user's session or permissions are no longer valid or if there is a security br... |
| V-274851 | | The API must time-restrict access tokens in accordance with organization-defined identification and authentication policy. | An API must time-restrict access tokens to enhance security by limiting the window of opportunity for unauthorized access. Access tokens typically hav... |
| V-274607 | | The API must encrypt sensitive cached data. | API caching is often used to cache endpoint responses. Caching will reduce the number of calls made to the endpoint and can improve application perfor... |
| V-274709 | | The amount of data returned by the API must be restricted. | Restrict exposing excessively large sets of data that could be used to discover vulnerabilities or extract sensitive information. This will protect se... |
| V-274710 | | The API must use TLS version 1.2 at a minimum. | Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepte... |
