Monitoring
Janina Mincer-Daszkiewicz
Levels of estimated error severity.
If an error is present in the context of an API (or endpoint), it applies only to that API (or endpoint).
Critical | This severity level implies that the process always/usually works badly. |
MAJOR | This severity level implies that the process works badly in some cases. |
MEDIUM | This flaw results in unfavorable behavior but the system remains functioning. |
LOW | This type of flaw won’t cause any major breakdown in the system. |
List of identified issues in this category (click on the title to show details)
Description | A client receives an error response from a server, and in the report, as the server_message request parameter, sends something other than the content of its developer-message element. But the specification says that is should be: "Error description received from the server. This parameter MUST be passed if the server returned a 4xx or 5xx status code along with an |
|---|---|
Estimated severity | LOW |
Examples |
|
Suggested action | Enforce absolute compliance with the specification. If the server didn't return an XML or there is no developer message in it, leave the server_message parameter empty. |
How communicated | Monitoring system, email correspondence with providers. Problem occurred for at least 7 providers. |
Description | A client receives an error response from a server, but it is an HTML instead of the usual error-response XML, and in the report describes the error as an issue with validating the response rather than an error returned by the server. But error responses aren't strictly required to be XML. The specification for errors 4xx says that "the response SHOULD contain an XML content with the |
|---|---|
Estimated severity | LOW |
Examples |
|
Suggested action | Enforce absolute compliance with the specification. Report HTML error responses as normal errors returned by servers (with empty server_message parameter). |
How communicated | Monitoring system, email correspondence with providers. Problem occurred for at least 4 providers. |
Description | A client receives an error response from a server, but it is missing an HTTP signature, and in the report describes the error as an issue with authenticating the response rather than an error returned by the server. But error responses aren't required to be signed. The specification says:
|
|---|---|
Estimated severity | LOW |
Examples |
|
Suggested action | Enforce absolute compliance with the specification. Report unsigned error responses as normal errors returned by servers. |
How communicated | Monitoring system, email correspondence with providers. Problem occurred for at least 2 providers. |
Description | A client receives a response from a server, but some field containing private data (like signer-email in the Outgoing Mobility Learning Agreements API's GET endpoint) fails validation, and includes in the report its invalid value in the client_message request parameter. But even if malformed, such invalid value can still contain private data that shouldn't be included in the report. The specification says: "The message MUST NOT contain any private data." |
|---|---|
Estimated severity | MEDIUM |
Examples |
|
Suggested action | Enforce absolute compliance with the specification. Don't include in your reports values from server responses for fields that can contain private data. |
How communicated | Monitoring system, email correspondence with providers. Problem occurred for at least 1 provider. |