Documentation - V-274844

V-274844

Application Programming Interface (API) Security Requirements Guide

CAT II

Title

The API must revoke assertions in accordance with organization-defined identification and authentication policy.

Description

<VulnDiscussion>An API must revoke assertions to immediately terminate access when a user's credentials are compromised, their permissions change, or their session is no longer valid. Assertions like JWTs or SAML tokens grant access to protected resources, and if not actively revoked, can be exploited even after a user's access is removed. By supporting assertion revocation, such as maintaining a token blacklist or using short-lived tokens with active invalidation, the API enhances security by e...

Fix Text (Documentation Requirement)

Build or configure the API to revoke assertions in accordance with organization-defined identification and authentication policy.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel