Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api_key is not a good example for an HTTP header, because of the underscore #3225

Closed
perrinjerome opened this issue Apr 1, 2023 · 3 comments
Closed

api_key is not a good example for an HTTP header, because of the underscore #3225

perrinjerome opened this issue Apr 1, 2023 · 3 comments
Labels
examples requests for more or better examples in the specification http Supporting HTTP features and interactions
Milestone
v3.0.4

Comments

@perrinjerome
Copy link
Contributor

Several HTTP servers strip HTTP headers when they contain _ for security reasons. Using something like api-key instead of api_key in the examples would be a more realistic example.

For references, nginx drops headers with underscores by default ( see https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers or https://dev.to/thesameeric/dont-use-underscores-in-your-http-headers-gfp ) django project's blog ( https://www.djangoproject.com/weblog/2015/jan/13/security/ ) has a good description of the problem. Other servers such as waitress ( Pylons/waitress#80 ) followed by dropping headers with underscore. I think apache http also drop such headers ( https://httpd.apache.org/docs/trunk/en/new_features_2_4.html#:~:text=Header%20names%20containing%20invalid%20characters%20(including%20underscores)%20are%20no%20longer%20converted%20to%20environment%20variables )

What I'm thinking is that in places where api_key is used to give an example of a header, for example in

OpenAPI-Specification/versions/3.1.0.md

Lines 566 to 567 in 2408885

"name": "api_key",
"in": "header"

using something like api-key might be better.
@MikeRalphson
Copy link
Member

Very interesting! Do you have time to raise a PR against the v3.1.1-dev branch?

perrinjerome added a commit to perrinjerome/OpenAPI-Specification that referenced this issue Apr 1, 2023
@perrinjerome
Use api-key instead of api_key as example header name
9bf45ce 
Several HTTP servers drop http headers with underscores.

Fixes OAI#3225
@perrinjerome perrinjerome mentioned this issue Apr 1, 2023
Merged
@perrinjerome
Copy link
Contributor Author

Thanks ! I made a PR, please take a look

perrinjerome added a commit to perrinjerome/swagger-petstore that referenced this issue Apr 1, 2023
@perrinjerome
openapi.yaml: use api-key for header name
85f52a4 
Headers with _ are stripped by some web servers.

See also OAI/OpenAPI-Specification#3225
@perrinjerome perrinjerome mentioned this issue Apr 1, 2023
Open
darrelmiller pushed a commit that referenced this issue Apr 13, 2023
@perrinjerome
Use api-key instead of api_key as example header name (#3226)
6f7b9a4 
Several HTTP servers drop http headers with underscores.

Fixes #3225
charjr pushed a commit to charjr/OpenAPI-Specification that referenced this issue Apr 27, 2023
@perrinjerome @charjr
Use api-key instead of api_key as example header name (OAI#3226)
a304b30 
Several HTTP servers drop http headers with underscores.

Fixes OAI#3225
charjr pushed a commit to charjr/OpenAPI-Specification that referenced this issue Apr 27, 2023
@perrinjerome @charjr
Use api-key instead of api_key as example header name (OAI#3226)
d52d3a2 
Several HTTP servers drop http headers with underscores.

Fixes OAI#3225
@handrews handrews added the examples requests for more or better examples in the specification label Jan 27, 2024
@handrews handrews added this to the v3.1.1 milestone Jan 27, 2024
@handrews
Copy link
Member

PR was merged - closing, and thanks for fixing this!

@handrews handrews added the http Supporting HTTP features and interactions label May 17, 2024
@handrews handrews modified the milestones: v3.1.1, v3.0.4 May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
examples requests for more or better examples in the specification http Supporting HTTP features and interactions
Projects
None yet
Milestone
v3.0.4
Development

No branches or pull requests
3 participants
@MikeRalphson @perrinjerome @handrews