`api_key` is not a good example for an HTTP header, because of the underscore

[perrinjerome]

Several HTTP servers strip HTTP headers when they contain _ for security reasons. Using something like api-key instead of api_key in the examples would be a more realistic example.

For references, nginx drops headers with underscores by default ( see https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers or https://dev.to/thesameeric/dont-use-underscores-in-your-http-headers-gfp ) django project's blog ( https://www.djangoproject.com/weblog/2015/jan/13/security/ ) has a good description of the problem. Other servers such as waitress ( Pylons/waitress#80 ) followed by dropping headers with underscore. I think apache http also drop such headers ( https://httpd.apache.org/docs/trunk/en/new_features_2_4.html#:~:text=Header%20names%20containing%20invalid%20characters%20(including%20underscores)%20are%20no%20longer%20converted%20to%20environment%20variables )

---

What I'm thinking is that in places where api_key is used to give an example of a header, for example in

OpenAPI-Specification/versions/3.1.0.md

Lines 566 to 567 in 2408885

	"name": "api_key",
	"in": "header"

using something like api-key might be better.

[MikeRalphson]

Very interesting! Do you have time to raise a PR against the v3.1.1-dev branch?

[perrinjerome]

Thanks ! I made a PR, please take a look

[handrews]

PR was merged - closing, and thanks for fixing this!