STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Programming Interface (API) Security Requirements Guide

V-274844

CAT II (Medium)

The API must revoke assertions in accordance with organization-defined identification and authentication policy.

Rule ID

SV-274844r1143890_rule

STIG

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

CCIs

CCI-005161, CCI-000366

Discussion

An API must revoke assertions to immediately terminate access when a user's credentials are compromised, their permissions change, or their session is no longer valid. Assertions like JWTs or SAML tokens grant access to protected resources, and if not actively revoked, can be exploited even after a user's access is removed. By supporting assertion revocation, such as maintaining a token blacklist or using short-lived tokens with active invalidation, the API enhances security by ensuring outdated or potentially dangerous assertions cannot be reused. This is critical in scenarios involving logout, credential theft, or administrative role changes, where continued access could lead to unauthorized data exposure or system compromise.

Check Content

Verify that the API has an implemented and functional revocation mechanism. This could involve endpoints or methods that allow for the invalidation of assertions, such as a revocation list or a central system for tracking revoked assertions.

Simulate the revocation of assertions by either manually revoking access or simulating scenarios that trigger revocation (e.g., a user's session being terminated, access being revoked due to a policy violation). Ensure the API properly invalidates the assertions and prevents further access with the revoked assertions.

Review Logging and Auditing of Revocation Events:
Confirm that the API logs revocation events, capturing key details such as who initiated the revocation, when it occurred, and why it was revoked. 

After revocation, test that any attempt to use the revoked assertion is properly rejected by the API. The API should deny access if the assertion has been invalidated, ensuring no further use is possible.

Refer to the API's documentation to confirm that revocation processes are correctly implemented in line with the organization's defined policies for identity management and authentication.

If the API does not revoke assertions in accordance with organization-defined identification and authentication policy, this is a finding.

Fix Text

Build or configure the API to revoke assertions in accordance with organization-defined identification and authentication policy.