Articles
Author
vacuum
Installing
Quick Start
About vacuum
Why?
Concepts
💥 Online Demo
FAQ
Changelog
Configuring
VSCode Plugin
CLI Commands
Lint
vacuum Report
Dashboard
HTML Report
Spectral Report
References
Version
Bundle Spec
Generate RuleSet
Language Server
Developer API
API Quick Start
Spec Index
RuleResultSet
Loading RuleSet
Custom Go Functions
Custom JS Functions
Non-OpenAPI Files
Functions
Core Functions
OpenAPI Functions
OWASP Functions
Rules
Examples
OWASP
Operations/Paths
Schemas
Spec Information
Validation
Descriptions
Tags
Security
RuleSets
What are they?
Sharing RuleSets
All Rules
No Rules/Off
Recommended Rules
Custom RuleSets
OWASP Rules
  • GitHub GitHub Repo stars
  • Discord Discord Server
    • Recommended

    oas2-api-schemes

    Formats: Severity:

    In OpenAPI 2 schemes is a string array, that contains URIs that define the HTTP transport types used by the API spec.

    Knowing over which HTTP transport an API operates is important for automation and code generation.

    We should NOT use HTTP in public internet facing APIs. Generally it’s OK when used behind a secured API gateway. We should always use HTTPS over HTTP for any public API.

    Values can ONLY be one of: http, https, ws or wss to be valid, however vacuum is not checking the contents of the array.

    Why did this violation appear?

    schemes is missing from the spec, or the supplied value is not an array

    Bad example

    swagger: 2.0
host: "quobix.com"
paths:
 /vacuum:
  ...

    Good example

    swagger: 2.0
host: "quobix.com"
schemes:
 - "https"
paths:
 /vacuum:
  ...

    How do I fix this violation?

    Ensure that the schemes property is present, and the content is defined as an array

    Spectral Equivalent

    The rule is equivalent to oas2-api-schemes