The API must limit the exposure of endpoints.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-274557 | SRG-APP-000141-API-000245 | SV-274557r1143590_rule | CCI-000381 | medium |
| Description | ||||
| Exposing too many API endpoints, which are specific URLs or paths that allow clients to interact with various functions or data within the system, increases the attack surface. This exposure makes the API more vulnerable to unauthorized access, data breaches, and distributed denial-of-service (DDoS) attacks. By restricting access to only necessary endpoints, the API ensures that only authenticated and authorized users can reach sensitive data or critical operations. Limiting the number of exposed endpoints reduces system complexity, enhances performance, and enables more effective enforcement of rate limits and monitoring controls. | ||||
| STIG | Date | |||
| Application Programming Interface (API) Security Requirements Guide | 2025-09-24 | |||
Details
Check Text (C-274557r1143590_chk)
Review the API documentation and configuration. If any endpoints (i.e., URLs or paths that handle client requests) are publicly accessible without a valid business or security justification, or if unnecessary endpoints are exposed, this is a finding.
Fix Text (F-78563r1142482_fix)
Build or configure the API to limit the endpoint against improper exposure.