The API must protect Session IDs via encryption.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-274600	SRG-APP-000219-API-000460	SV-274600r1143633_rule	CCI-001184	medium
Description
Encrypting Session IDs protects them from interception and unauthorized access, preventing session hijacking and ensuring the confidentiality and integrity of user sessions.
STIG			Date
Application Programming Interface (API) Security Requirements Guide			2025-09-24

Related Frameworks

3 paths across 3 frameworks

NIST 800-531 mapping

SC-23

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1711 mapping

3.13.15

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-001184

1.00

DISA · V1R1 · disa_xccdf · related

Details

Check Text (C-274600r1143633_chk)

Verify the API protects Session IDs. Review the API documentation and configuration. Interview the API administrator and obtain implementation documentation identifying system architecture. Identify the API communication paths. This includes system-to-system communication and client-to-server communication that transmit session identifiers over the network. Have the API administrator identify the methods and mechanisms used to protect the API session ID traffic. Acceptable methods include SSL/TLS both one-way and two-way and VPN tunnel. The protections must be implemented on a point-to-point basis based upon the architecture of the API. For example, a web API hosting static data will provide SSL/TLS encryption from web client to the web server. More complex designs may encrypt from API server to API server (if applicable) and API server to database as well. If the API session IDs are unencrypted across network segments, this is a finding.

Fix Text (F-78606r1142611_fix)

Build or configure the API to protect session IDs from interception or from manipulation.