Api Key Exposure in Hanami
How Api Key Exposure Manifests in Hanami
Api key exposure in Hanami applications typically occurs through several distinct attack vectors that are specific to the framework's architecture. The most common scenario involves API keys being inadvertently committed to source control or exposed through configuration files that are accessible to unauthorized users.
In Hanami applications, API keys often reside in environment-specific configuration files or are injected through environment variables. A particularly dangerous pattern emerges when developers hardcode API keys directly in controllers or service objects, making them visible in the codebase. For example:
Hanami-Specific Detection
Detecting API key exposure in Hanami applications requires understanding the framework's unique patterns and conventions. Static analysis tools need to be configured to recognize Hanami's specific file structures and naming conventions. The framework's use of slices and modules creates a different attack surface than traditional Rails applications.
middleBrick's scanner is particularly effective at detecting API key exposure in Hanami applications because it understands the framework's conventions. The scanner looks for:
- Hardcoded API keys in Hanami action classes and services
- API keys exposed through Hanami's dependency injection container
- Configuration files in the
config/ directory that may contain credentials - Environment variable usage patterns that reveal sensitive data
- API keys in Hanami's slice-specific configurations
Running middleBrick against a Hanami application is straightforward:
middlebrick scan https://your-hanami-app.com/api/v1/users
The scanner performs black-box testing that simulates real attack scenarios, testing for API key exposure without requiring access to your source code. It specifically checks for authentication bypass attempts and credential leakage through response headers and error messages.
For continuous monitoring, the GitHub Action integration can be configured to scan your Hanami API endpoints during the CI/CD pipeline:
- name: Scan API Security
uses: middleBrick/middleBrick-action@v1
with:
target_url: "https://staging.your-hanami-app.com"
fail_below: B
This ensures that any API key exposure is caught before deployment to production environments.
Hanami-Specific Remediation
Remediating API key exposure in Hanami applications requires leveraging the framework's built-in security features and following best practices for credential management. The first step is to centralize API key management using Hanami's configuration system:
# config/application.rb
Hanami.configure do
environment :development do
secrets.merge! Stripe: ENV["STRIPE_API_KEY"]
end
environment :production do
secrets.merge! Stripe: ENV["STRIPE_API_KEY"]
end
end
Within your Hanami actions and services, access API keys through the configuration system rather than hardcoding:
class Users::Create < Action
include Deps["config.secrets.stripe"]
def call(params)
stripe = Stripe::Client.new(api_key: @stripe)
stripe.customers.create(params[:customer])
end
end
This approach ensures that API keys are properly injected and can be rotated without code changes. For slice-specific API keys, use Hanami's slice configuration:
# slices/billing/lib/billing.rb
module Billing
class Slice < Hanami::Slice
register_slice :billing
configure do
secrets.merge! Stripe: ENV["BILLING_STRIPE_API_KEY"]
end
end
end
Hanami's environment-specific configuration also helps prevent API key exposure in development environments. Use different API keys for development and production, and ensure development keys have limited permissions:
# config/development.rb
Hanami.configure do
secrets.merge! Stripe: "sk_test_dev_key"
end
For enhanced security, implement API key rotation and monitoring. Use Hanami's middleware system to log API key usage and detect anomalies:
# lib/api_key_middleware.rb
class ApiKeyMiddleware
def initialize(app, &block)
@app = app
end
def call(env)
if env["HTTP_AUTHORIZATION"]
# Log API key usage for monitoring
Hanami::Logger.info("API key used: #{env["HTTP_AUTHORIZATION"]}")
end
@app.call(env)
end
end
Finally, integrate security scanning into your development workflow using middleBrick's CLI tool:
middlebrick scan --format=json --output=report.json http://localhost:2300/api
This provides immediate feedback on API key exposure vulnerabilities during development.
Frequently Asked Questions
How does middleBrick detect API key exposure in Hanami applications?
middleBrick uses black-box scanning techniques to test Hanami API endpoints for credential leakage. It checks for hardcoded API keys in responses, tests authentication bypass scenarios, and analyzes error messages for sensitive data exposure. The scanner understands Hanami's conventions and specifically looks for patterns where API keys might be exposed through the framework's dependency injection system or configuration files.Can middleBrick scan my local Hanami development environment?
Yes, middleBrick can scan any accessible API endpoint, including local development servers. Simply run middlebrick scan http://localhost:2300 (or your Hanami server's port) to analyze your local API for security vulnerabilities. This is particularly useful for catching API key exposure issues before they reach production.