STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Programming Interface (API) Security Requirements Guide

V-274534

CAT II (Medium)

The API must audit request and response details (such as method, URL, headers, body, status, etc.).

Rule ID

SV-274534r1143565_rule

STIG

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

CCIs

CCI-000130

Discussion

By logging request and response data, the API can track the flow of information between clients and the system, providing a detailed audit trail that helps detect and analyze potential security incidents, such as unauthorized access attempts, data manipulation, or injection attacks.

Check Content

Verify the API audits request and response details.

1. Inspect the API's logs to verify they capture details of incoming requests and outgoing responses, including headers, body content, and status codes.

2. Simulate various requests and verify that both request and response details are being logged correctly, including any data passed and the response outcome.

3. Verify the API is configured to log the necessary request and response details, such as the type of request, request parameters, and response status.

4. Review the API's documentation to ensure proper auditing of request and response details is enabled.

If the API is not auditing request and response detail, this is a finding.

Fix Text

Build or configure the API to log the necessary request and response details such as method, URL, headers, body, status, etc.