Articles
Author
vacuum
Installing
Quick Start
About vacuum
Why?
Concepts
💥 Online Demo
FAQ
Ignoring Violations
Changelog
Configuring
VSCode Plugin
CLI Commands
Lint
vacuum Report
Dashboard
HTML Report
Spectral Report
References
Version
Bundle Spec
Generate RuleSet
Language Server
Developer API
API Quick Start
Spec Index
RuleResultSet
Loading RuleSet
Custom Go Functions
Custom JS Functions
Non-OpenAPI Files
Functions
Core Functions
OpenAPI Functions
OWASP Functions
Rules
Examples
OWASP
Operations/Paths
Schemas
Spec Information
Validation
Descriptions
Tags
Security
RuleSets
What are they?
Sharing RuleSets
No Rules/Off
Recommended Rules
Custom RuleSets
OWASP Rules
  • GitHub GitHub Repo stars
  • Discord Discord Server
    • ✨ New! Try the OpenAPI Doctor ✨ The OpenAPI Doctor

    OWASP Functions

    Open Worldwide Application Security Project (OWASP) Functions for OWASP Rules.

    These functions power a portion of the OWASP Rules. They were originally written by Ricardo Graça.

    owaspExternalExample

    Checks that an external example and an example are not used together.

    owaspArrayLimit

    Checks array schema types also define maxItems

    owaspAuthInsecureSchemes

    Checks authentication schemes used are not outdated and insecure.

    owaspBasicAuth

    Checks no Basic auth is used in the API.

    owaspCheckErrorResponse

    Checks if an error response has been defined for a given status code.

    owaspHostsHttps

    Checks that server hosts use HTTPS (not HTTP)

    owaspIntegerFormat

    Checks integers specify format (int32 or int64)

    owaspIntegerLimit

    Checks integers specify minimum and maximum or exclusiveMinimum and exclusiveMaximum

    owaspJWTBestPractice

    Checks JWTs explicitly declare support for RFC8725

    owaspNoAdditionalProperties

    Checks that no additional properties are allowed in the API.

    owaspNoAdditionalPropertiesConstrained

    Checks schema defines maxProperties when additionalProperties is an object

    owaspNoApiKeyInUrl

    Checks no parameters are used in the URL to pass API keys.

    owaspNoCredentialsInUrl

    Checks no credentials are used in the URL.

    owaspNoNumericIds

    Checks that no numeric IDs are used in the API.

    owaspRatelimitRetryAfter

    Checks that any 429 response, contains a Retry-After header.

    owaspStringLimit

    Checks strings specify maxLength, enum, or const

    owaspStringRestricted

    Checks strings must specify a format, pattern, enum, or const

    owaspHeaderDefinition

    Check if a header has been defined or not from the list of headers.

    owaspDefineErrorDefinition

    Check if global or operation level security has been defined.

    owaspCheckSecurity

    Check if global or operation level security has been defined.