Missing API versioning

Severity
Info
Applies to
Proxy
Links
CWE-710

Why This Issue Is Important

Without API versioning, deprecated or unmaintained endpoints might still be accessible, increasing the risk of exposing outdated and potentially vulnerable code. Versioning also helps manage security updates and deprecations systematically, ensuring that only secure and well-maintained versions are in use.

How This Issue Is Detected

This issue is detected by analyzing the BasePath of the API defined in the HTTPProxyConnection element of the Apigee proxy configuration. If no version pattern (e.g., /v1, /v2) is found in the BasePath, a warning is raised to indicate the absence of versioning.

How to Fix the Issue

To fix this issue, update the BasePath of your API proxy to include a version number. This is typically done by appending a version segment to the path, like /v1 or /v2. Here’s an example:

<HTTPProxyConnection>
    <BasePath>/v1/myapi</BasePath>
</HTTPProxyConnection>

This versioning scheme allows you to create new versions of the API (e.g., /v2/myapi) without disrupting existing consumers using the older version.