An error occurred:

Check: SRG-APP-000095-API-001790

Application Programming Interface (API) SRG: SRG-APP-000095-API-001790 (in version v1 r1)

Title

The API Gateway must audit request and response details (such as method, URL, headers, body, status, etc.). (Cat II impact)

Discussion

The API Gateway must audit request and response details to ensure robust security, efficient troubleshooting, and compliance with regulations. As the central point for handling incoming traffic, the gateway is responsible for managing authentication, authorization, routing, and applying policies across all services. By auditing request and response details, the gateway can monitor for potential security threats, such as unauthorized access attempts, data tampering, or malicious activities like SQL injection and cross-site scripting (XSS). Detailed logs provide valuable information for troubleshooting issues, enabling quick identification of problematic requests, errors, or performance bottlenecks, which can be essential for maintaining system reliability.

Check Content

If an API Gateway is not in use, this is Not Applicable. Verify the API audits execution time and performance metrics. 1. Inspect the API Gateway's logs to verify they capture details of incoming requests and outgoing responses, including headers, body content, and status codes. 2. Simulate various requests and verify that both request and response details are being logged correctly, including any data passed and the response outcome. 3. Verify the API Gateway is configured to log the necessary request and response details, such as the type of request, request parameters, and response status. 4. Review the API Gateway's documentation to ensure proper auditing of request and response details is enabled. If the API Gateway is not auditing request and response detail, this is a finding.

Fix Text

Build or configure the API Gateway to log the necessary request and response details such as method, URL, headers, body, status, etc.

Additional Identifiers

Rule ID: SV-274533r1143563_rule

Vulnerability ID: V-274533

Group Title: SRG-APP-000095

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000130

Ensure that audit records contain information that establishes what type of event occurred.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-3

Content of Audit Records