Articles
Author
vacuum
Installing
Quick Start
About vacuum
Why?
Concepts
💥 Online Demo
FAQ
Ignoring Violations
Changelog
Configuring
VSCode Plugin
GitHub Action
CLI Commands
Lint
vacuum Report
Dashboard
HTML Report
Spectral Report
References
Version
Bundle Spec
Generate RuleSet
Language Server
Developer API
API Quick Start
Spec Index
RuleResultSet
Loading RuleSet
Custom Go Functions
Custom JS Functions
Non-OpenAPI Files
Functions
Core Functions
OpenAPI Functions
OWASP Functions
Rules
Examples
OWASP
Operations/Paths
Schemas
Spec Information
Validation
Descriptions
Tags
Security
RuleSets
What are they?
Sharing RuleSets
No Rules/Off
Recommended Rules
Custom RuleSets
OWASP Rules
  • GitHub GitHub Repo stars
  • Discord Discord Server
    • New! Try the OpenAPI DoctorThe OpenAPI Doctor

    noRequestBody

    noRequestBody scans an OpenAPI specification to ensure that GET and DELETE operations do not have a requestBody defined, enforcing HTTP best practices.

    How it works

    The function iterates through all paths and operations in your OpenAPI specification. For each GET and DELETE operation found, it checks whether a requestBody is defined. If one is found, a violation is reported.

    This function specifically checks:

    • All GET operations across all paths
    • All DELETE operations across all paths
    • Both inline and referenced request bodies

    Why this matters

    While not strictly forbidden by the HTTP specification, request bodies on GET and DELETE operations are problematic:

    1. GET semantics: GET requests should be safe and idempotent, used only for retrieval. Request bodies imply sending data for processing.

    2. DELETE semantics: DELETE operations identify resources via the URI. Additional data should use headers or query parameters.

    3. Compatibility issues: Many HTTP clients, proxies, caching layers, and servers may:

    • Silently drop the request body
    • Reject the request entirely
    • Produce unpredictable behavior
    1. API consistency: Following HTTP conventions makes your API more intuitive and easier to integrate with.

    Configuration

    This function does not accept any configuration options. It strictly enforces the rule that GET and DELETE operations should not have request bodies.

    Examples

    Invalid GET with request body

    paths:
  /search:
    get:
      requestBody:  # ❌ Will trigger violation
        content:
          application/json:
            schema:
              type: object

    Valid GET with parameters

    paths:
  /search:
    get:
      parameters:  # ✅ Use parameters instead
        - name: query
          in: query
          schema:
            type: string

    Invalid DELETE with request body

    paths:
  /users/{id}:
    delete:
      requestBody:  # ❌ Will trigger violation
        content:
          application/json:
            schema:
              type: object

    Valid DELETE with parameters

    paths:
  /users/{id}:
    delete:
      parameters:  # ✅ Use parameters if needed
        - name: id
          in: path
          required: true
          schema:
            type: string

    Rules using this function

    View Function Source

    What's on this page