STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Programming Interface (API) Security Requirements Guide

V-274845

CAT II (Medium)

The API must time-restrict assertions in accordance with organization-defined identification and authentication policy.

Rule ID

SV-274845r1143892_rule

STIG

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

CCIs

CCI-005162, CCI-000366

Discussion

An API must time-restrict assertions to minimize security risks and ensure access to protected resources is granted only within a valid and controlled timeframe. Assertions, such as JWTs or SAML tokens, typically include expiration timestamps that limit how long they are valid. This prevents long-term misuse in case a token is leaked or intercepted and helps enforce periodic re-authentication or authorization checks. By applying time restrictions, the API reduces the window of opportunity for unauthorized access, aligns with best practices in secure session management, and supports compliance with policies that require timely validation of user credentials and permissions.

Check Content

Reviewing the organization's identification and authentication policy's defined rules for assertion validity duration. This should include the maximum lifespan of assertions, such as the allowed expiration time after issuance.

Check the API's implementation to ensure it generates assertions with the correct expiration times based on the organization's policy. Assertions must include expiration claims (e.g., exp in JWT tokens), and the API must enforce these time restrictions automatically.

Simulate the use of assertions at different times, including immediately after issuance and near expiration. Ensure the API correctly rejects assertions that have expired or are no longer valid according to the defined time restrictions.

Verify the API is applying time-based policies for issuing or renewing assertions. For example, it should not issue assertions with a duration that exceeds the time limits set by the organization. It should also handle scenarios like late requests that could fall outside the permitted time window.

Review the API logs to verify expiration and time-based events are being properly logged, including when an assertion is created, expired, or rejected due to time constraints. 

Refer to the API's documentation to ensure the time restriction policy is implemented correctly and compliant with the organization's defined standards for assertion time management.

If the API does not time restrict assertions in accordance with organization-defined identification and authentication policy, this is a finding.

Fix Text

Build or configure the API to time-restrict assertions in accordance with organization-defined identification and authentication policy.