Arp Spoofing in Adonisjs with Mutual Tls

Arp spoofing is a link-layer attack where an attacker sends falsified Address Resolution Protocol replies to associate their MAC address with the IP of a legitimate host, such as a database or another service in your infrastructure. In an AdonisJS application that uses mutual Transport Layer Security (mTLS), the application terminates TLS at the HTTP layer while relying on the underlying host network for identity. Because mTLS validates the certificate presented by the peer, it does not inherently protect against an attacker who is already on the same local network segment and can intercept traffic between the AdonisJS server and its upstream service (e.g., a database or another microservice).

When AdonisJS runs behind a proxy or load balancer that handles TLS, developers may assume mTLS is enforced end-to-end. However, if the service-to-service path between the AdonisJS runtime and a backend does not enforce mTLS, or if the certificate verification is misconfigured, ARP spoofing can redirect traffic to an attacker on the same subnet. The attacker can then observe or manipulate unencrypted internal traffic that the AdonisJS application forwards, despite the presence of mTLS at the edge. This is especially relevant in containerized or cloud environments where flat networking and shared subnets increase exposure.

The combination does not introduce a protocol flaw in AdonisJS itself, but it highlights a gap in threat modeling: mTLS secures the application channel, yet link-layer integrity is assumed. If an attacker conducts ARP spoofing, they can sit inline and read or modify requests and responses that the AdonisJS app sends to a service that does not require client certificates. Sensitive data such as tokens or PII may be exposed, and integrity checks at the HTTP layer will not detect tampering because the attacker can forward modified traffic with valid mTLS credentials if they possess a legitimate cert, or simply observe traffic when mTLS is not required from the backend.

To assess this risk with middleBrick, you can run a scan against your AdonisJS endpoint to surface findings related to authentication boundaries and data exposure. The scan tests the unauthenticated attack surface and can highlight whether security headers, rate limiting, or other controls inadvertently leave internal paths unprotected. While middleBrick does not fix these issues, it provides prioritized findings with remediation guidance to help you tighten the full chain from edge to service.

Remediation focuses on ensuring that every hop which requires identity verification enforces mTLS, and that the AdonisJS application does not trust traffic simply because it originates from a trusted network zone. Below are concrete patterns you can apply in AdonisJS using the built-in HTTP client and server-side TLS options.

1. Enforcing client certificates when AdonisJS calls downstream services

When your AdonisJS app acts as a client to another service, configure the HTTP client to present and verify a client certificate. Using @adonisjs/core's native fetch or an HTTP client wrapper, you can supply key and certificate paths and set strict certificate validation.

import { HttpsClient } from '@adonisjs/core/HttpClient'

const client = new HttpsClient({
  hostname: 'db-internal.example.com',
  port: 5432,
  cert: '/etc/tls/client.crt',
  key: '/etc/tls/client.key',
  ca: '/etc/tls/ca-bundle.crt',
  rejectUnauthorized: true,
})

const response = await client.get('/health')
console.log(response.status, response.body)

Ensure rejectUnauthorized is true and the CA bundle includes only the trusted root that signed your peer certificates. This prevents the app from accepting a spoofed server even if an attacker performs ARP spoofing, provided the attacker does not possess a valid certificate signed by your CA.

2. Configuring the AdonisJS HTTPS server to request client certificates

If you terminate mTLS at the AdonisJS server itself, instruct the HTTPS server to require and validate client certificates. This is typically done in the start/hooks.ts or server configuration file.

import { defineConfig } from '@adonisjs/core/app'
import { join } from 'path'

export default defineConfig({
  https: {
    enable: true,
    key: join(__dirname, '../tls/server.key'),
    cert: join(__dirname, '../tls/server.crt'),
    ca: join(__dirname, '../tls/ca-bundle.crt'),
    requestCert: true,
    rejectUnauthorized: true,
  },
})

With requestCert enabled and rejectUnauthorized set to true, the server will drop connections that do not present a valid client certificate signed by the specified CA. This closes the gap where ARP spoofing could allow an unauthorized host to masquerade as a legitimate client on the same subnet.

3. Network-level hardening alongside mTLS

While mTLS is a strong control, combine it with network segmentation and host firewall rules to reduce the attack surface for ARP spoofing. Use VPCs, security groups, and private endpoints to limit which hosts can reach your AdonisJS instance. Within the application, validate the identity of backend services using certificate subject alternative names (SANs) and pin certificates where feasible.

4. Observability and validation

Log certificate metadata and connection origins for auditability. If you use the middleBrick CLI to scan your API endpoints, you can correlate runtime findings with configuration checks to ensure mTLS is correctly enforced across the stack. The CLI provides JSON output that can be integrated into scripts to verify settings programmatically.