An error occurred:

Check: SRG-APP-000400-API-000865

Application Programming Interface (API) SRG: SRG-APP-000400-API-000865 (in version v1 r1)

Title

API refresh tokens must be configured to expire. (Cat II impact)

Discussion

By setting an expiration date on refresh tokens, the potential for abuse of a leaked token is reduced. Additionally, limiting their lifespan ensures tokens are regularly rotated, forcing users to reauthenticate periodically, which strengthens overall security and ensures access rights are up to date. This practice helps mitigate risks such as unauthorized access and session hijacking.

Check Content

Verify API refresh tokens are configured to expire according to organizational defined parameters. If API refresh tokens are not configured to expire according to organizational defined parameters, this is a finding.

Fix Text

Build or configure API refresh tokens to expire according to organizational defined parameters.

Additional Identifiers

Rule ID: SV-274681r1143714_rule

Vulnerability ID: V-274681

Group Title: SRG-APP-000400

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002007

Prohibit the use of cached authenticators after an organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5(13)

Expiration of Cached Authenticators