The API must encode outputs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-274767 | SRG-APP-000516-API-001295 | SV-274767r1143805_rule | CCI-000366 | medium |
| Description | ||||
| Output encoding ensures data sent from an API is properly formatted and does not cause unintended effects on the receiving end. Requiring an API to encode its outputs is a security measure to prevent Cross-Site Scripting (XSS), HTTP Response Splitting, and Log Injection vulnerabilities. Without proper encoding, an attacker could inject malicious scripts into API responses, which could be executed when displayed in a web application, leading to XSS attacks. Improperly encoded responses could allow attackers to manipulate HTTP headers, causing response splitting that may facilitate cache poisoning or session fixation. Unencoded user input in logs could introduce log injection issues, obscuring attack traces or triggering unintended system behavior. Encoding output ensures special characters are safely represented, preventing unintended execution or injection attacks. | ||||
| STIG | Date | |||
| Application Programming Interface (API) Security Requirements Guide | 2025-09-24 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-274767r1143805_chk)
Verify the API encodes outputs.
If the API does not encode outputs, this is a finding.
Fix Text (F-78773r1143112_fix)
Build or configure the API to encode outputs.