All defined API elements must be documented.

STIG ID: SRG-APP-000098-API-000145  |  SRG: SRG-APP-000098 |  Severity: medium |  CCI: CCI-000133 |  Vulnerability Id: V-274537

Vulnerability Discussion

All defined API elements and their security-relevant configurations must be documented and enforced, ensuring compliance with the organization's approved security baselines.

Identifying all API elements that must be logged is essential for security, monitoring, and threat detection.

Documenting and enforcing security-relevant configurations for all defined API elements ensures consistency, reduces misconfigurations, and supports compliance with organizational security baselines. This practice enhances system integrity, simplifies audits, and helps prevent vulnerabilities caused by undocumented or insecure API behaviors.

Check

To identify APIs in use:

Analyze application code for API calls, URLs, and authentication keys in frontend and backend components.

Use network monitoring tools to capture API traffic in real time.

Check browser DevTools (Network tab) for active API requests in web applications.

Review server and API gateway logs (e.g., AWS CloudWatch, Nginx logs) to track API calls and usage patterns.

Inspect configuration files, environment variables, and documentation for references to external or internal APIs.

If any defined API elements or their security-relevant configurations are not documented and enforced in accordance with the organization's approved security baselines, this is a finding.

Fix

Update the documentation to include all defined API elements and their security-relevant configurations. Ensure each element is properly logged and monitored in accordance with the organization's approved security baselines.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.