V-274534
SV-274534r1143565_rule
CAT II
The API must audit request and response details (such as method, URL, headers, body, status, etc.).
From: Application Programming Interface (API) Security Requirements Guide (V1R1)
Description
<VulnDiscussion>By logging request and response data, the API can track the flow of information between clients and the system, providing a detailed audit trail that helps detect and analyze potential security incidents, such as unauthorized access attempts, data manipulation, or injection attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Verify the API audits request and response details.
1. Inspect the API's logs to verify they capture details of incoming requests and outgoing responses, including headers, body content, and status codes.
2. Simulate various requests and verify that both request and response details are being logged correctly, including any data passed and the response outcome.
3. Verify the API is configured to log the necessary request and response details, such as the type of request, request parameters, and response status.
4. Review the API's documentation to ensure proper auditing of request and response details is enabled.
If the API is not auditing request and response detail, this is a finding.
Fix Text
Build or configure the API to log the necessary request and response details such as method, URL, headers, body, status, etc.
CCI Reference
CCI-000130- Created
- 2026-04-07 20:08:09
- Last Updated
- 2026-04-07 20:08:09