HIGH api key exposurestrapicockroachdb

Api Key Exposure in Strapi with Cockroachdb

Scan for api key exposure in strapi

Api Key Exposure in Strapi with Cockroachdb — how this specific combination creates or exposes the vulnerability

Strapi is a headless CMS that often connects to external databases such as CockroachDB. When API keys or database credentials are mishandled in Strapi’s configuration or environment, an attacker can retrieve sensitive connection strings or authentication tokens. CockroachDB, while secure by design, relies on proper certificate handling and connection string protection. A misconfigured Strapi environment can expose these credentials through insecure endpoints, debug routes, or improperly restricted admin panels.

During an unauthenticated scan, middleBrick tests for API key exposure by checking for secrets in responses, source code references, or error messages that reveal database connection details. If Strapi returns stack traces or configuration snippets that include CockroachDB connection URIs, an attacker can harvest hostnames, certificates, or usernames. This becomes especially risky when Strapi runs in development mode or when environment variables like COCKROACHDB_URL are accidentally exposed via logs or repository history.

Because Strapi may dynamically generate database connections based on environment variables, a compromised server or CI/CD pipeline can lead to credential leakage. The scanner’s checks for data exposure and unsafe consumption identify whether sensitive strings related to CockroachDB appear in HTTP responses. For example, a response that includes a literal connection string such as postgresql://user:password@host:26257/dbname would be flagged as a high-severity finding. The presence of such strings in error payloads or GraphQL responses indicates that API key exposure is occurring through Strapi’s integration with CockroachDB.

middleBrick also evaluates input validation and property authorization to determine whether an unauthenticated user can trigger endpoints that reveal internal configuration. If Strapi endpoints do not enforce proper access controls, an attacker might request debug or health endpoints that return database connection metadata. This aligns with findings from the Authentication and BOLA/IDOR checks, which verify whether sensitive data is unnecessarily exposed. By correlating runtime behavior with OpenAPI specifications, middleBrick cross-references defined security expectations against actual responses to detect inconsistencies that lead to API key exposure.

Cockroachdb-Specific Remediation in Strapi — concrete code fixes

To secure Strapi when using CockroachDB, ensure that connection details are never exposed through application responses. Use environment variables and secure configuration management to store sensitive data. Below are specific code examples that demonstrate secure practices.

Secure Database Configuration

Define your CockroachDB connection using environment variables and validate them at startup. This prevents hardcoded credentials from appearing in source code or runtime errors.

// config/database.js
module.exports = ({
  env
}) => ({
  defaultConnection: 'default',
  connections: {
    default: {
      connector: 'bookshelf',
      settings: {
        client: 'postgres',
        host: env('COCKROACHDB_HOST', 'localhost'),
        port: env.int('COCKROACHDB_PORT', 26257),
        database: env('COCKROACHDB_DATABASE', 'strapi'),
        schema: env('COCKROACHDB_SCHEMA', 'public'),
        ssl: {
          rejectUnauthorized: env.bool('COCKROACHDB_SSL_REJECT_UNAUTHORIZED', true)
        },
        username: env('COCKROACHDB_USERNAME', 'admin'),
        password: env('COCKROACHDB_PASSWORD', '')
      },
      enabled: true
    }
  }
});

Ensure that your environment variables are set securely and not logged. For CockroachDB, use TLS certificates and avoid exposing the connection string in logs or error messages.

Restricting Debug and Health Endpoints

Disable or restrict access to debug endpoints that may expose database metadata. In Strapi, configure policies to prevent unauthorized access to sensitive routes.

// src/api/health/controllers/health.js
'use strict';

module.exports = {
  async check(ctx) {
    // Return minimal health status without exposing database details
    ctx.body = {
      status: 'OK',
      timestamp: new Date().toISOString()
    };
  }
};

Apply a global policy to filter sensitive information from error responses. This prevents CockroachDB connection strings from appearing in stack traces.

// src/middlewares/error-handler/middleware.js
module.exports = {
  async errorHandler(ctx, next) {
    try {
      await next();
    } catch (err) {
      // Avoid exposing internal error details
      ctx.status = err.status || 500;
      ctx.body = {
        error: 'Internal Server Error',
        message: ctx.app.get('env') === 'production'
          ? 'An unexpected error occurred.'
          : err.message
      };
      // Log full error securely on server side only
    }
  }
};

Use middleware to sanitize responses and ensure that no database credentials are leaked. Regularly rotate credentials and certificates used by CockroachDB to reduce the impact of potential exposure.

Scan for api key exposure in strapi Free API security scan

Frequently Asked Questions

Can middleBrick detect exposed API keys in error responses from Strapi?
Yes, middleBrick scans error payloads and responses for patterns that resemble API keys, database connection strings, or other sensitive credentials. If Strapi returns a CockroachDB connection URI in an error message, it will be flagged as a high-severity finding.
How does middleBrick verify that Strapi is not exposing CockroachDB credentials?
middleBrick performs unauthenticated checks across multiple security domains, including data exposure and input validation. It cross-references runtime responses with OpenAPI specifications to identify inconsistencies where sensitive strings such as database URLs may be inadvertently disclosed.

Related Pages

Api Key Exposure in StrapiLearn how API key exposure affects Strapi applications, including JWT secrets, API tokens, and content-type permissions.Api Key Exposure in CockroachdbDetect and fix API key exposure in CockroachDB apps. Learn attack patterns, scanning with middleBrick, and remediation uApi Key Exposure in Strapi on GcpExplore how API keys can be exposed in Strapi on GCP, detection methods, and Gcp-specific remediation with code examplesApi Key Exposure in Strapi on CloudflareLearn how API key exposure can occur when Strapi sits behind Cloudflare and apply concrete Cloudflare worker rules and cIso 27001: Api Key Exposure in StrapiExplore ISO 27001 controls for API key exposure with Strapi, including secure handling and remediation code examples.Hipaa: Api Key Exposure in StrapiHIPAA risks from API key exposure in Strapi, detection methods, and Strapi-specific remediation steps.Cis: Api Key Exposure in StrapiExplore CIS Controls in API key exposure with Strapi, including detection methods and secure code examples to prevent crGdpr: Api Key Exposure in StrapiGDPR risks from API key exposure with Strapi, detection patterns, and Strapi-specific code fixes for secure key handlingApi Key Exposure in Strapi with Bearer TokensUnderstand api key exposure in Strapi when using bearer tokens, with remediation examples and secure coding practices.Api Key Exposure in Strapi with Hmac SignaturesExplore API key exposure risks with Strapi and Hmac Signatures. Learn secure implementation patterns and remediation steApi Key Exposure in Strapi with Basic AuthUnderstand how Basic Auth with Strapi can expose API keys, and apply concrete code fixes to secure endpoints. Scan with Api Key Exposure in Strapi with Api KeysmiddleBrick scans Strapi API key exposure, showing how keys become vulnerable and how to remediate with code policies, H