REST API Resource modifying data without Authentication check - No Author
Impact area
Security
Severity
High
Rule ID
SN-RESTAPI_DATAMOD_NO_AUTHOR
Impact
Defining a REST API Resource with a data modification verb (POST/DELETE/PATCH) without authorization restrictions via ACLs is a security risk, as it allows any user with login credentials to modify data in your instance.
Remediation
Ensure that all REST API Resources which can modify data have authentication and authorization checks enabled.
Time to fix
10 min