forked from italia/api-oas-checker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
headers.yml
45 lines (44 loc) · 1.35 KB
/
headers.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
rules:
no-forbidden-headers:
description: |-
OAS do not allow using the following HTTP headers in a specification
file: Authorization, Content-Type and Accept.
You MUST use the associate functionalities provided by OAS, instead.
message: |-
{{error}} in {{path}} {{value}}
severity: error
given:
- "$..parameters[?(@.in == 'header')].name"
- $..[responses][*].headers.*~
then:
function: pattern
functionOptions:
notMatch: >-
/^(accept|content-type|authorization)$/i
no-x-headers-request: &no-x-headers
description: |-
'HTTP' headers SHOULD NOT start with 'X-' RFC6648.
severity: warn
given:
- "$..parameters[?(@.in == 'header')].name"
message: |-
HTTP header '{{value}}' SHOULD NOT start with 'X-' in {{path}}
recommended: true
type: style
then:
function: pattern
functionOptions:
# De Morgan: !~ /^x-/ <=> h[0] != 'x' || h[1] != '-'
match: >-
/^([^x]|.[^-])|RateLimit-|Correlation-ID|ReplyTo/i
no-x-headers-response:
<<: *no-x-headers
given:
- $..[responses][*].headers.*~
message: |-
HTTP response header SHOULD NOT start with 'X-' in {{path}}
then:
function: pattern
functionOptions:
match: >-
/^([^x]|.[^-])|RateLimit-|Correlation-ID|ReplyTo/i