HIGH api key exposureadonisjsmutual tls

Api Key Exposure in Adonisjs with Mutual Tls

Scan for api key exposure in adonisjs

Api Key Exposure in Adonisjs with Mutual Tls — how this specific combination creates or exposes the vulnerability

When an AdonisJS application uses Mutual TLS (mTLS) for client authentication, developers may assume the transport is fully secured and inadvertently expose API keys in a way mTLS cannot protect. mTLS ensures the client possesses a valid certificate, but it does not prevent the client from sending sensitive authorization data—such as an API key—inside HTTP headers, cookies, or the request body. If an API key is passed in an Authorization header (e.g., Authorization: ApiKey abc123) while mTLS is enforced, the key is still present in plaintext within the application’s request handling layer. Should logs, error messages, or monitoring integrations capture that header, the key can be leaked beyond the intended access boundary.

Another exposure path arises when AdonisJS applications proxy or forward requests internally after mTLS client validation. For example, a gateway may authenticate the client certificate, then forward the request to a downstream service including the original API key header. If the downstream service logs requests or if the forwarding logic is misconfigured, the key can be stored or transmitted insecurely. MiddleBrick’s scan checks for such exposure by inspecting whether API keys appear in HTTP headers that are transmitted or logged after mTLS authentication, flagging cases where keys are present in unencrypted or uncontrolled contexts despite transport-layer mutual authentication.

The interplay of mTLS and API keys also matters in error handling. AdonisJS may return stack traces or validation errors that include header values when exceptions occur. If an API key is present in an incoming header and an unhandled exception is thrown, the key can be reflected in error responses or logs. MiddleBrick’s Data Exposure checks specifically look for sensitive values in responses and logs, identifying whether API keys inadvertently surface alongside mTLS-authenticated sessions. This combination—mTLS for client identity plus key-based authorization—can create a false sense of security if key handling is not explicitly hardened.

Additionally, applications may embed API keys in query parameters or cookies while using mTLS for channel binding. Query parameters are often recorded in server logs and browser histories, and cookies may be duplicated across services. Even with mTLS preventing man-in-the-middle attacks, these storage and transmission practices can lead to persistence and accidental disclosure. MiddleBrick evaluates whether API keys are present in query strings or cookie values after successful mTLS negotiation, highlighting insecure storage and logging practices that persist despite strong transport authentication.

Finally, configuration mistakes in AdonisJS can weaken the protection mTLS offers. For instance, enabling verbose logging for debugging purposes or misconfiguring trust proxy settings may cause the framework to log full headers, including API keys, to disk or stdout. MiddleBrick’s scan validates runtime behavior by analyzing whether API keys are present in observable outputs following mTLS-authenticated requests, providing findings that help developers understand exactly how keys can be exposed even when mutual authentication is in place.

Mutual Tls-Specific Remediation in Adonisjs — concrete code fixes

To reduce exposure risk, handle API keys outside the request flow after mTLS authentication and avoid echoing them in logs or responses. Use environment-based configuration and explicit header stripping where appropriate.

Example 1: mTLS-only transport without API keys in headers

// start/server.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class AuthController {
  public async validateMtlsOnly({ request, response }: HttpContextContract) {
    // Rely on mTLS client certificate for identity; do not expect an API key header.
    const clientCert = request.$ssl?.clientCert
    if (!clientCert) {
      return response.unauthorized({ error: 'Client certificate required' })
    }

    // Do not read or forward API keys from headers.
    response.send({ ok: true, client: clientCert.subject })
  }
}

Example 2: Reject requests containing API key headers when mTLS is used

// start/middleware/forbid-api-key.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default function forbidApiKey() {
  return async (ctx: HttpContextContract, next: () => Promise) => {
    const apiKey = ctx.request.header('api-key') || ctx.request.header('authorization')
    if (apiKey) {
      // Fail early to prevent accidental propagation of keys.
      ctx.response.status = 400
      ctx.response.body = { error: 'API keys not allowed when using mTLS' }
      return
    }
    await next()
  }
}

// In start/kernel.ts
Server.middleware.registerNamed({
  forbidApiKey: () => forbidApiKey(),
})

// Apply to a route group that requires mTLS
Route.group(() => {
  Route.get('/secure', 'SecureController.index').middleware('forbidApiKey')
}).prefix('api/v1')

Example 3: Forwarding requests without leaking keys

// start/middleware/forward-without-keys.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import axios from 'axios'

export default async function forwardWithoutKeys(ctx: HttpContextContract) {
  // Strip sensitive headers before forwarding.
  const headers = { ...ctx.request.headers() }
  delete headers['api-key']
  delete headers['authorization']

  const response = await axios.get('https://downstream.internal/data', {
    headers,
    httpsAgent: ctx.request.httpsAgent // mTLS client cert is handled by the runtime.
  })

  ctx.response.send(response.data)
}

Example 4: Logging that excludes API keys

// start/providers/AppProvider.ts
import { logger } from '@ioc:Adonis/Core/Logger'

export default class AppProvider {
  constructor() {
    // Ensure logs do not contain sensitive header values.
    logger.processLogging = (level, message, { error, ...metadata }) => {
      const safeMeta = { ...metadata }
      if (safeMeta.headers) {
        const { 'api-key': _, authorization: __, ...safeHeaders } = safeMeta.headers
        safeMeta.headers = safeHeaders
      }
      logger.info(message, { error, ...safeMeta })
    }
  }
}

Example 5: Environment-driven key handling

// .env
NODE_ENV=production
FORWARD_API_KEY=false

// start/middleware/conditional-key-forwarding.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import Env from '@ioc:Adonis/Core/Env'

export default async function conditionalKeyHandling(ctx: HttpContextContract) {
  const shouldForward = Env.get('FORWARD_API_KEY', 'false') === 'true'
  const headers = { ...ctx.request.headers() }

  if (!shouldForward) {
    delete headers['api-key']
  }

  // Continue processing with safe headers.
  await next()
}
Scan for api key exposure in adonisjs Free API security scan

Frequently Asked Questions

Does mTLS prevent API key leakage in AdonisJS?
No. Mutual TLS secures the channel and verifies client certificates, but it does not prevent API keys from being sent in headers, cookies, or query parameters. Keys can still be logged, proxied, or reflected in errors unless explicitly handled.
How can I detect API key exposure in my AdonisJS app when mTLS is used?
Use automated scans that inspect whether API keys appear in request and response flows after mTLS authentication. MiddleBrick checks for keys in headers, logs, and error outputs, providing remediation guidance to remove or strip sensitive values.

Related Pages

Api Key Exposure in AdonisjsAPI key exposure in Adonisjs applications: detection and remediation for hardcoded keys, fallback values, and logging vuApi Key Exposure with Mutual TlsAPI key exposure in Mutual TLS creates unique vulnerabilities when secrets are stored in certificate extensions or loggeApi Key Exposure in Adonisjs on GcpUnderstand API key exposure in AdonisJS on GCP, with secure code examples and GCP-specific remediation guidance.Api Key Exposure in Adonisjs on KubernetesAPI key exposure in AdonisJS on Kubernetes, risks and Kubernetes-specific remediation with code examples.Api Key Exposure in Adonisjs on AwsLearn how AWS key exposure occurs in AdonisJS, and apply concrete code fixes to protect credentials in API responses.Api Key Exposure in Adonisjs on FirebaseLearn how API key exposure occurs with Firebase in AdonisJS and apply concrete code fixes to secure credentials and confHipaa: Api Key Exposure in AdonisjsExplore HIPAA risks when API keys are exposed in AdonisJS. Learn secure patterns for storage, logging, and transmission,Gdpr: Api Key Exposure in AdonisjsGDPR and API key exposure in AdonisJS: risks and remediation with code examples and logging best practicesIso 27001: Api Key Exposure in AdonisjsExplore ISO 27001 and Adonisjs API key exposure: risks, real code examples, and remediation steps to protect secrets andCis: Api Key Exposure in AdonisjsCIS risks and remediation for API key exposure in AdonisJS: practical code guidance and how middleBrick detects issues.Api Key Exposure in Adonisjs with DynamodbExplore API key exposure risks in AdonisJS with DynamoDB, understand how they occur, and apply concrete code fixes to reApi Key Exposure in Adonisjs with CockroachdbUnderstand and remediate API key exposure when using AdonisJS with CockroachDB, including secure configuration and scann