CME-909
Default-Deny API Authorization Policy
Description
All API endpoints require explicit authorization by default — any endpoint without a declared authorization rule returns 403 Forbidden. The authorization framework operates as a deny-by-default middleware that intercepts every incoming request and requires an explicit policy match before forwarding to the handler. Only explicitly allowlisted endpoints (health checks, public landing pages) bypass authorization. Prevents vulnerabilities where new endpoints are deployed without authorization checks, or where legacy endpoints silently allow unauthenticated access to sensitive functionality.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Privileges Required (PR) | N → L | Unauthenticated access to any endpoint is impossible under default-deny; every request must present valid credentials at minimum, eliminating the entire class of missing-authentication vulnerabilities (CWE-306) at the framework level. |
| Attack Complexity (AC) | L → H | An attacker must find an explicit authorization bypass or policy misconfiguration rather than simply discovering an unprotected endpoint; the framework ensures no endpoint is accidentally exposed without a deliberate policy decision. |
CWE Relationships
Verification
Verify that unauthenticated requests to non-public endpoints are rejected; inspect framework configuration for default-deny authorization policy
$ curl -s -o /dev/null -w '%{http_code}' http://localhost:8080/api/v1/admin/users
# Expected: 401 or 403 without credentials
# Expected: 401 or 403 without credentials
Platform: any
$ grep -rn 'default.*deny\|require_auth\|authenticate!\|@login_required\|IsAuthenticated\|authorize.*default' <app_source>/
# Expected: Global authentication/authorization middleware configured with deny-by-default
# Expected: Global authentication/authorization middleware configured with deny-by-default
Platform: any