Data Exposure in Express with Hmac Signatures
Data Exposure in Express with Hmac Signatures
Data exposure in Express when Hmac Signatures are used incorrectly occurs when a server includes sensitive data in a response and then signs it with an Hmac without preventing the data from being exposed in the first place. Hmac Signatures ensure integrity and authenticity, but they do not provide confidentiality. If an endpoint returns personally identifiable information, authentication tokens, or internal identifiers in the response body and then signs that body, an attacker who can observe the signed output can still read the sensitive content even if they cannot forge valid signatures.
In Express, this often happens when a developer adds Hmac signing as a transport integrity mechanism (for example to prevent tampering with query parameters or cookies) but neglects to filter or encrypt the response payload. Consider an endpoint that returns user profile data including email and internal IDs, signs the JSON with an Hmac key, and sends both the payload and signature in headers or a combined format. An authenticated or unauthenticated attacker who can trigger the endpoint and read the response gains access to the sensitive fields. Because Hmac verification only checks that the data has not been altered, the framework does not block the exposure; the data is already present in plaintext in the response before signing.
A common pattern involves signing cookies or URL parameters to prevent tampering. For example, an application might serialize user preferences into a JSON object, sign it with Hmac, and store it in a cookie. If the JSON includes sensitive fields such as roles or permissions, those fields are readable by any script that can read the cookie, even though the cookie value is integrity-protected. Similarly, returning sensitive resources with a signed ETag or custom signed header can leak information if the resource representation itself is not protected by access controls or encryption.
Another scenario arises when an Express route builds a response that includes secrets such as API keys or session handles, computes an Hmac over the response body, and then includes the signature in a response header. If the response is logged, cached, or reflected in client-side storage, the sensitive body is persisted in cleartext. The signature does not prevent this; it only ensures that an adversary cannot modify the body without detection. This is particularly relevant for endpoints that return configuration or diagnostic data that should remain confidential.
SSRF and external request paths can exacerbate data exposure risks when Hmac Signatures are involved. If an Express endpoint accepts a URL parameter, fetches remote data, signs the fetched data, and returns it to the caller, an attacker may induce the server to fetch internal resources that contain sensitive information. The signed response reveals the content of those internal resources to the attacker. Proper input validation, network isolation, and strict allowlists are required to prevent the endpoint from acting as an unintentional data proxy.
Hmac Signatures-Specific Remediation in Express
Remediation focuses on preventing sensitive data from appearing in responses that are signed, and ensuring that signing is applied only to integrity-critical metadata rather than full payloads. Below are concrete Express code examples that demonstrate secure patterns.
First, avoid signing responses that contain sensitive fields. Instead, sign only non-sensitive metadata such as timestamps or version identifiers, and keep sensitive data encrypted or omitted from the response.
const crypto = require('crypto');
const express = require('express');
const app = express();
const HMAC_KEY = process.env.HMAC_KEY;
function signPayload(payload) {
const hmac = crypto.createHmac('sha256', HMAC_KEY);
hmac.update(JSON.stringify(payload));
return hmac.digest('hex');
}
// Secure: return only non-sensitive data, sign a safe metadata object
app.get('/profile/summary', (req, res) => {
const sensitiveProfile = {
email: '[email protected]',
ssn: '123-45-6789',
internalId: 'usr-abc-123'
};
const publicSummary = {
username: 'jdoe',
updatedAt: new Date().toISOString()
};
const signature = signPayload(publicSummary);
res.set('X-Payload-Signature', signature);
res.json(publicSummary);
});
Second, when you must include identifiers, ensure that they are not directly revealing and are validated server-side before use. Use opaque tokens instead of raw internal IDs, and verify permissions on each request rather than relying on signed client-supplied values.
const crypto = require('crypto');
const express = require('express');
const app = express();
const HMAC_KEY = process.env.HMAC_KEY;
function createSignedToken(data) {
const hmac = crypto.createHmac('sha256', HMAC_KEY);
hmac.update(JSON.stringify(data));
return { token: hmac.digest('hex'), data };
}
function verifySignedToken(token, signature) {
const hmac = crypto.createHmac('sha256', HMAC_KEY);
hmac.update(JSON.stringify(token.data));
const expected = hmac.digest('hex');
return timingSafeEqual(expected, signature);
}
function timingSafeEqual(a, b) {
if (a.length !== b.length) return false;
let result = 0;
for (let i = 0; i < a.length; i++) {
result |= a.charCodeAt(i) ^ b.charCodeAt(i);
}
return result === 0;
}
app.get('/resource/:id', (req, res) => {
const publicToken = { id: 'public-123', scope: 'read' };
const { token, signature } = createSignedToken(publicToken);
if (!verifySignedToken(token, req.query.signature)) {
return res.status(403).json({ error: 'invalid signature' });
}
// Fetch resource using server-side mapping, never trust token.id directly for data exposure
res.json({ resourceId: 'internal-xyz', name: 'Safe Resource' });
});
Third, enforce strict input validation and avoid reflecting untrusted data in signed outputs to prevent injection and exposure via logged or cached responses. Do not sign and forward data obtained from external URLs without thorough sanitization.
const crypto = require('crypto');
const express = require('express');
const app = express();
const HMAC_KEY = process.env.HMAC_KEY;
app.get('/signed-query', (req, res) => {
const userInput = req.query.q;
if (!userInput || typeof userInput !== 'string' || userInput.length > 100) {
return res.status(400).json({ error: 'invalid query' });
}
// Do not sign raw user input; sign a structured, sanitized object
const safePayload = {
q: userInput.trim(),
timestamp: Date.now()
};
const hmac = crypto.createHmac('sha256', HMAC_KEY);
hmac.update(JSON.stringify(safePayload));
const signature = hmac.digest('hex');
res.set('X-Signature', signature);
res.json(safePayload);
});
Finally, use HTTPS to protect data in transit and apply appropriate access controls so that sensitive fields are never included in responses that could be captured in logs or caches, even when signatures are present.
Related CWEs: dataExposure
| CWE ID | Name | Severity |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information | HIGH |
| CWE-209 | Error Information Disclosure | MEDIUM |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | HIGH |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | MEDIUM |
| CWE-312 | Cleartext Storage of Sensitive Information | HIGH |
| CWE-359 | Exposure of Private Personal Information (PII) | HIGH |
| CWE-522 | Insufficiently Protected Credentials | CRITICAL |
| CWE-532 | Insertion of Sensitive Information into Log File | MEDIUM |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File | HIGH |
| CWE-540 | Inclusion of Sensitive Information in Source Code | HIGH |