Header Parameter Validation Tests¶

This guide explains how OpenAPI Test Generator creates negative tests for header parameters, distinguishing between regular required headers and security-related headers.

Types of Header Tests¶

The generator produces different test cases depending on the header type:

Header Type	Provider/Rule	Expected Status	Example
Required non-security	`MissedRequiredParameterTestProvider`	400	`X-Request-ID`, `X-Correlation-ID`
Required security	`AuthTestCaseProviderForOperation`	401/403	`Authorization`, `X-API-Key`
Invalid value (non-security header param)	`ParameterSchemaValidationTestProvider`	400	Wrong format, out of range

Security header validation (missing or invalid values) is generated by auth rules, not schema rules.

Missing Required Header (Non-Security)¶

Non-security headers defined in operation parameters with required: true are handled by MissedRequiredParameterTestProvider and ParameterSchemaValidationTestProvider.

Example OpenAPI Spec¶

paths:
    /users:
        get:
            operationId: listUsers
            parameters:
                -   name: X-Request-ID
                    in: header
                    required: true
                    schema:
                        type: string
                        format: uuid
                -   name: X-Correlation-ID
                    in: header
                    required: false
                    schema:
                        type: string

Generated Test Cases¶

For the required X-Request-ID header, the generator produces:

Fixture context

The fixture used for these examples (core/src/test/resources/oas/complex/listUsers-test-suites.json) defines BearerAuth for /users. That is why the generated cases include an authorization header placeholder. If your operation has no security requirement, the headers list will be empty.

Missing required header:

{
    "name": "Missed Required Header Parameter X-Request-ID",
    "method": "GET",
    "path": "/users",
    "headers": [
        {
            "key": "authorization",
            "value": "<valid_BearerAuth_placeholder>"
        }
    ],
    "expectedStatusCode": 400,
    "rule": "art.galushko.openapi.testgen.providers.parameter.MissedRequiredParameterTestProvider"
}

Invalid UUID format:

{
    "name": "Invalid Header X-Request-ID parameter: Wrong UUID Format",
    "method": "GET",
    "path": "/users",
    "headers": [
        {
            "key": "authorization",
            "value": "<valid_BearerAuth_placeholder>"
        },
        {
            "key": "X-Request-ID",
            "value": "8e258b27-c787-49ef-9539-11461b251ffg"
        }
    ],
    "expectedStatusCode": 400,
    "rule": "art.galushko.openapi.testgen.rules.schema.WrongUuidFormatSchemaValidationRule"
}

Security Headers (Auth)¶

Security headers defined in securitySchemes are handled by AuthTestCaseProviderForOperation and produce different expected status codes.

Example OpenAPI Spec¶

components:
    securitySchemes:
        BearerAuth:
            type: http
            scheme: bearer
            bearerFormat: JWT
        ApiKeyAuth:
            type: apiKey
            in: header
            name: X-API-Key

security:
    -   BearerAuth: [ ]
    -   ApiKeyAuth: [ ]

Generated Test Cases¶

No security values provided:

{
    "name": "No security values provided",
    "method": "GET",
    "path": "/users",
    "headers": [
        {
            "key": "X-Request-ID",
            "value": "d5a5495b-cbdc-4237-a66e-000000000000"
        }
    ],
    "expectedStatusCode": 401,
    "rule": "art.galushko.openapi.testgen.rules.auth.AllSecurityMissedAuthValidationRule"
}

Missing one required scheme (AND security):

{
    "name": "Missing Authorization header security",
    "method": "GET",
    "path": "/secure-and",
    "headers": [
        {
            "key": "X-API-Key",
            "value": "<valid_apiKeyHeader_api_key_placeholder>"
        }
    ],
    "expectedStatusCode": 401,
    "rule": "art.galushko.openapi.testgen.rules.auth.MissingSecurityValuesAuthValidationRule"
}

This case is generated when multiple security schemes are required together and one scheme is omitted. Fixture source: core/src/test/resources/oas/security-generated-test-suites.json.

Invalid Authorization header:

{
    "name": "Invalid Authorization header security",
    "method": "GET",
    "path": "/users",
    "headers": [
        {
            "key": "X-Request-ID",
            "value": "d5a5495b-cbdc-4237-a66e-000000000000"
        },
        {
            "key": "authorization",
            "value": "bearer some_really_invalid_authorization_header"
        }
    ],
    "expectedStatusCode": 401,
    "rule": "art.galushko.openapi.testgen.rules.auth.InvalidSecurityValuesAuthValidationRule"
}

Invalid API key header:

{
    "name": "Invalid X-API-Key API key security",
    "method": "GET",
    "path": "/users",
    "headers": [
        {
            "key": "authorization",
            "value": "<valid_BearerAuth_placeholder>"
        },
        {
            "key": "X-Request-ID",
            "value": "d5a5495b-cbdc-4237-a66e-000000000000"
        },
        {
            "key": "X-API-Key",
            "value": "some_really_invalid_api_key"
        }
    ],
    "expectedStatusCode": 401,
    "rule": "art.galushko.openapi.testgen.rules.auth.InvalidSecurityValuesAuthValidationRule"
}

Security Placeholders

When auth headers are required but you haven't configured valid values, the generator uses placeholders like <valid_BearerAuth_placeholder>. Configure valid values using Security Values to get realistic test data.

Distinguishing Header Types in Output¶

Use the rule field to identify the test type:

Rule Contains	Header Type	Expected Status
`MissedRequiredParameterTestProvider`	Non-security required	400
`SchemaValidationRule`	Any (schema violation)	400
`AllSecurityMissedAuthValidationRule`	Security (all missing)	401
`InvalidSecurityValuesAuthValidationRule`	Security (invalid)	401
`MissingSecurityValuesAuthValidationRule`	Security (partial missing)	401

Filtering Header Tests¶

Test case name lists match exact names (wildcards are not evaluated).

Exclude missing header tests¶

testGenerationSettings:
    ignoreTestCases:
        "/users":
            "GET":
                - "Missed Required Header Parameter X-Request-ID"

Exclude security header tests by rule¶

testGenerationSettings:
    ignoreAuthValidationRules:
        - "art.galushko.openapi.testgen.rules.auth.AllSecurityMissedAuthValidationRule"
        - "art.galushko.openapi.testgen.rules.auth.InvalidSecurityValuesAuthValidationRule"

Limit generation to a specific path (all test types)¶

testGenerationSettings:
    includeOperations:
        "/users":
            - "GET"

This filters operations before generation, but still produces all applicable tests (query, header, body, auth) for the selected operation. See Include Operations for details.

Running Test Generator - How to run the test generator
Security Values - Configuring valid auth tokens
Ignore Rules - Excluding specific test cases
Providers Catalog - Header parameter providers
Rules Catalog - Auth validation rules

Header Parameter Validation Tests¶

Types of Header Tests¶

Missing Required Header (Non-Security)¶

Example OpenAPI Spec¶

Generated Test Cases¶

Security Headers (Auth)¶

Example OpenAPI Spec¶

Generated Test Cases¶

Distinguishing Header Types in Output¶

Filtering Header Tests¶

Exclude missing header tests¶

Exclude security header tests by rule¶

Limit generation to a specific path (all test types)¶

Related Documentation¶