Api Key Exposure in Echo Go with Postgresql
Api Key Exposure in Echo Go with Postgresql — how this specific combination creates or exposes the vulnerability
When building HTTP services in Go with the Echo framework and storing configuration or secrets in Postgresql, developers can inadvertently expose API keys through application code, database permissions, or insecure data handling. This risk arises when API keys are stored as plain text in database tables, printed in logs, or returned in API responses due to improper struct serialization.
Echo applications that directly query Postgresql and expose raw rows via REST endpoints may leak keys if response structs include sensitive fields. For example, defining a struct with a APIKey string field and binding it directly to a database query can result in the key being serialized into JSON when the endpoint is called. An attacker who compromises an endpoint that returns user or application settings can obtain the key if it is present in the queried columns.
Additionally, connection strings and credentials used to open a Postgresql database can be embedded in environment variables or configuration files that are checked into source control. If an Echo application logs query errors and includes the full connection string or result rows, keys can be exposed in log aggregation systems. Hardcoded keys in SQL migration files or seed scripts also create a persistent exposure path, especially when those files are accessible through development tools or version history.
The combination of Echo’s flexible routing and Postgresql’s role-based access controls can amplify exposure if roles are overly permissive. A database role used by the Echo service that has SELECT on tables containing key material allows any code path using that role to read and potentially expose the key. Without row-level security or column masking, queries that fetch configuration rows can return keys to any authenticated HTTP request that reaches the handler.
Insecure deserialization of query results further compounds the risk. If Echo handlers bind JSON responses using json.Marshal on structs that include key fields, and those handlers are reachable without authentication, the keys are exposed in clear text over HTTP. Even with authentication, if tokens or keys are included in debug endpoints or health checks that lack proper authorization, an attacker can harvest them through enumeration.
middleBrick scans such unauthenticated attack surfaces and flags endpoints that return sensitive fields like API keys, providing prioritized findings with severity and remediation guidance. This is particularly valuable for Echo and Postgresql stacks where keys traverse both application and database layers, increasing the chance of exposure through misconfigured routes, logging, or permissions.
Postgresql-Specific Remediation in Echo Go — concrete code fixes
To secure API keys when using Echo with Postgresql, isolate key material from application code and database responses. Store keys in environment variables or a dedicated secrets manager, and reference them in your Echo configuration without exposing them through database queries.
Define database tables without key columns, and instead use indirect references. For example, create a configuration table that stores metadata but excludes the actual key:
CREATE TABLE service_config (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
name TEXT NOT NULL,
endpoint TEXT NOT NULL,
created_at TIMESTAMPTZ DEFAULT NOW()
);
Use a separate, restricted table for sensitive values with row-level security enabled:
CREATE TABLE api_keys (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
service_name TEXT NOT NULL REFERENCES service_config(name),
encrypted_key BYTEA NOT NULL,
updated_at TIMESTAMPTZ DEFAULT NOW()
);
ALTER TABLE api_keys ENABLE ROW LEVEL SECURITY;
CREATE POLICY select_own_keys ON api_keys
FOR SELECT
USING (service_name = current_setting('app.service_name', true));
In your Echo handlers, query only non-sensitive configuration and retrieve keys through a controlled, authenticated function. Use context-based settings to pass the service name to Postgresql:
func getConfig(c echo.Context) error {
svc := c.Param("service")
ctx := context.Background()
conn, err := pgx.Connect(ctx, os.Getenv("DATABASE_URL"))
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "unable to connect")
}
defer conn.Close(ctx)
var name, endpoint string
err = conn.QueryRow(ctx, "SELECT name, endpoint FROM service_config WHERE name = $1", svc).Scan(&name, &endpoint)
if err != nil {
return echo.NewHTTPError(http.StatusNotFound, "config not found")
}
// Key retrieval via a secure, audited function
var key []byte
err = conn.QueryRow(ctx, "SELECT decrypt_key(service_name) FROM api_keys WHERE service_name = $1", name).Scan(&key)
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "unable to retrieve key")
}
return c.JSON(map[string]interface{}{
"endpoint": endpoint,
// intentionally not returning key
})
}
Rotate keys using encrypted migrations and avoid selecting key columns in any handler. Define Postgresql functions to decrypt keys only within secure execution contexts, and ensure the Echo application never logs query results that include sensitive columns. With these measures, the attack surface is reduced and keys remain protected at the database and API layers.