Documentation - V-274846

V-274846

Application Programming Interface (API) Security Requirements Guide

CAT II

Title

The API must audience-restrict assertions in accordance with organization-defined identification and authentication policy.

Description

<VulnDiscussion>An API must audience-restrict assertions to ensure the information or access granted by a token is only usable by its intended recipient. Assertions like JWTs or SAML tokens often include an "audience" (aud) claim, which specifies the exact service or API that is authorized to consume the assertion. Without this restriction, a token could be intercepted and used by an unintended or malicious service, potentially leading to unauthorized access or data breaches. By enforcing audien...

Fix Text (Documentation Requirement)

Build or configure the API to audience-restrict assertions in accordance with organization-defined identification and authentication policy.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel