Dns Rebinding in Feathersjs with Api Keys

DNS rebinding is a client-side attack that manipulates DNS responses to make a browser believe a remote host is a different IP address over time. In FeathersJS applications that rely on API keys for authorization, this can expose internal services or bypass intended network boundaries. When an API key is issued to a client—typically in single-page applications or mobile clients—the key is often treated as a bearer token that grants access to Feathers services. If the client resolves a hostname that can be rebound to an internal IP, the browser will send requests with the API key to the attacker-controlled IP. Because FeathersJS services commonly accept requests with API keys via headers such as Authorization or custom headers, the rebounded request may be accepted as valid, allowing the attacker to interact with internal endpoints not intended for external access.

Consider a FeathersJS service that authenticates requests using an API key passed in a header. The client resolves api-internal.example.com to an external IP at first load, but through DNS rebinding the attacker causes the browser to later resolve the same hostname to 127.0.0.1 or to another internal service such as a management interface on 192.168.1.10. Subsequent requests from the victim’s browser include the API key, and FeathersJS processes them as legitimate. This becomes especially dangerous if the FeathersJS application exposes administrative or debug endpoints that do not enforce additional access controls beyond the API key. The combination of a weak boundary between public and internal networks and the misuse of API keys as the sole authorization mechanism can lead to unauthorized access to sensitive operations or data.

To illustrate, a FeathersJS service might define a hook that checks for an API key:

// src/hooks/verify-api-key.js
module.exports = function verifyApiKey(options) {
  return async context => {
    const allowedKeys = new Set([process.env.API_KEY_1, process.env.API_KEY_2]);
    const provided = context.headers['x-api-key'];
    if (!provided || !allowedKeys.has(provided)) {
      throw new Error('Unauthorized');
    }
    return context;
  };
};

If the client obtains API_KEY_1 through a secure channel and the FeathersJS service trusts this header without additional network validation, DNS rebinding can pivot the request to an internal host that also runs a FeathersJS instance with the same key. The hook will evaluate successfully, and the attacker can invoke services bound to localhost or internal networks. This highlights the need to treat API keys as insufficient for isolation when network boundaries can be manipulated. middleBrick can detect such misconfigurations by scanning the unauthenticated attack surface and identifying endpoints that accept API keys without network-level restrictions, providing prioritized findings with remediation guidance.

Remediation centers on ensuring API keys are not the sole authorization mechanism and that network boundaries are enforced regardless of DNS resolution. In FeathersJS, you should combine API key validation with origin checks, IP restrictions, or service-to-service authentication where appropriate. Avoid relying on DNS names that can be rebinded; use strict hostname validation and avoid exposing internal services to client-controlled DNS.

First, validate the request origin in addition to the API key. For example, within a Feathers hook you can check the origin or referer header against an allowlist:

// src/hooks/verify-api-key-and-origin.js
const ALLOWED_ORIGINS = new Set([
  'https://app.yourcompany.com',
  'https://api.yourcompany.com'
]);

module.exports = function verifyApiKeyAndOrigin(options) {
  return async context => {
    const allowedKeys = new Set([process.env.API_KEY_1, process.env.API_KEY_2]);
    const provided = context.headers['x-api-key'];
    const origin = context.headers.origin || context.headers.referer;
    if (!provided || !allowedKeys.has(provided)) {
      throw new Error('Unauthorized: invalid API key');
    }
    if (!origin || !ALLOWED_ORIGINS.has(origin)) {
      throw new Error('Unauthorized: invalid origin');
    }
    return context;
  };
};

Second, avoid binding sensitive FeathersJS services to hostnames that resolve to internal IPs. Instead, bind to 127.0.0.1 when the service is not intended for external access, and use a reverse proxy to expose a controlled public endpoint. If internal communication is required, use mTLS or service tokens rather than API keys issued to browsers.

Third, if you must accept API keys from clients, rotate them frequently and scope them to specific permissions and origins. In your FeathersJS service configuration, apply per-route hooks and avoid global hooks that trust API keys implicitly:

// src/services/protected/resource/resource.class.js
const { iff, isProvider } = require('feathers-hooks-common');
const verifyApiKey = require('../../hooks/verify-api-key-and-origin');

module.exports = function setupProtectedService(app) {
  const options = {
    name: 'protected',
    paginate: { default: 10, max: 25 }
  };
  const service = app.service('protected');
  service.hooks({
    before: {
      all: [iff(isProvider('external'), verifyApiKey())],
      find: [],
      get: [],
      create: [],
      update: [],
      patch: [],
      remove: []
    }
  });
};

Finally, consider integrating middleBrick into your workflow to continuously scan your FeathersJS endpoints. The CLI tool allows you to run middlebrick scan <url> from your terminal, while the GitHub Action can enforce security thresholds in CI/CD pipelines. For teams requiring deeper visibility, the Dashboard enables tracking of risk scores over time, and the MCP Server lets you scan APIs directly from AI coding assistants. These integrations complement secure coding practices by surfacing misconfigurations early.