Cache Poisoning in Axum with Basic Auth
Cache Poisoning in Axum with Basic Auth — how this specific combination creates or exposes the vulnerability
Cache poisoning occurs when an attacker manipulates cached responses so that subsequent users receive malicious or incorrect data. In Axum, this risk can be amplified when HTTP Basic Authentication is used without careful handling of cache keys and headers. Basic Auth typically relies on the Authorization header containing a base64-encoded credential pair. If responses are cached based only on the request path and query parameters, and the cache ignores the Authorization header, users may inadvertently share authenticated responses across accounts.
Consider a scenario where an endpoint returns user-specific data but is cached without incorporating the Authorization header into the cache key. An authenticated request with one user’s credentials could be stored and later served to another user. MiddleBrick’s 12 security checks include Data Exposure and Authentication evaluations, which can identify whether cached responses leak sensitive information across users. The scanner examines whether authentication mechanisms influence caching behavior and flags cases where authenticated responses appear to be shared unintentionally.
Certain response headers can also exacerbate cache poisoning. For example, if Vary is not set correctly to include Authorization, intermediaries or reverse proxies may serve a cached response to users with different credentials. This misconfiguration can lead to privilege confusion, where one user sees data they should not have access to. MiddleBrick’s OpenAPI/Swagger analysis resolves $ref definitions and cross-references runtime findings to detect inconsistencies between documented authentication expectations and actual caching behavior.
LLM/AI Security checks in MiddleBrick additionally probe for system prompt leakage and output exposure, which can occur if cached authenticated responses include sensitive information in error messages or metadata. While this is less about traditional cache poisoning and more about unintended data exposure through cached authenticated content, the scanner validates whether outputs could reveal credentials or PII when responses are improperly reused.
To mitigate such risks, developers must ensure that cache keys explicitly include relevant authentication context or avoid caching sensitive authenticated responses. MiddleBrick’s findings include prioritized guidance with severity levels and remediation steps, helping teams adjust routing, headers, or caching strategies to prevent poisoned cache entries from affecting multiple users.
Basic Auth-Specific Remediation in Axum — concrete code fixes
To secure Axum endpoints using Basic Authentication while preventing cache poisoning, you should explicitly incorporate authentication into cache behavior and avoid storing or serving authenticated responses to unauthorized users. Below are concrete code examples demonstrating secure handling of Basic Auth in Axum.
First, ensure that your caching layer or middleware respects the Authorization header when generating cache keys. If you cannot modify caching infrastructure, avoid caching authenticated responses by setting appropriate headers. Here is a minimal Axum example that conditionally skips caching for authenticated requests:
use axum::{routing::get, Router, response::IntoResponse, http::header};
use std::net::SocketAddr;
async fn handler() -> impl IntoResponse {
// Business logic here
(axum::http::StatusCode::OK, "Public response")
}
async fn auth_handler() -> impl IntoResponse {
// Ensure authenticated responses are not cached by shared intermediaries
(axum::http::StatusCode::OK,
[(header::CACHE_CONTROL, "no-store"), (header::PRAGMA, "no-cache")],
"Private response")
}
#[tokio::main]
async fn main() {
let app = Router::new()
.route("/public", get(handler))
.route("/private", get(auth_handler));
let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
tracing::debug!("Listening on {}", addr);
axum::Server::bind(&addr)
.serve(app.into_make_service())
.await
.unwrap();
}
In this example, the /private route sets Cache-Control: no-store and Pragma: no-cache to prevent storage of responses that contain Basic Auth credentials. This reduces the likelihood that a cached response will be incorrectly served to another user. For public endpoints without authentication, caching can remain enabled, but you should still validate that shared caches do not inadvertently mix authenticated and unauthenticated content.
When implementing Basic Auth, validate credentials on each request and avoid relying on session tokens stored in cookies unless they are similarly protected. MiddleBrick’s CLI tool can scan your Axum service to verify whether authenticated routes include appropriate no-store directives and whether Vary headers account for Authorization. Using the GitHub Action, you can enforce that new routes include these safeguards before deployment, preventing regressions in authentication handling.
Additionally, ensure that HTTPS is enforced for all routes using Basic Auth, as credentials are transmitted in the header on every request. MiddleBrick’s encryption checks validate that endpoints are served over TLS and that sensitive headers are not exposed in logs or error messages. These practices complement code-level fixes and help maintain a robust security posture across your API surface.