Rocket API Security
Rocket Security Posture
Rocket is a Rust-based web framework that emphasizes type safety and compile-time guarantees. By default, Rocket provides several security advantages: it enforces HTTPS in production through its fairings system, uses strong type checking to prevent common injection vulnerabilities, and offers built-in request guards for authentication. However, Rocket's minimal defaults also mean developers must actively configure security settings—there's no automatic rate limiting, CORS policies are wide open by default, and sensitive data exposure through error messages is common if not properly handled.
Top 5 Security Pitfalls in Rocket
1. Default CORS Configuration
Rocket's CORS fairing allows all origins by default: cors = rocket_cors::CorsOptions::default().to_cors().unwrap(). This exposes your API to cross-origin attacks from any domain. Always configure specific allowed origins and methods.
2. Debug Mode in Production
Running Rocket with ROCKET_ENV=production still shows detailed error pages containing stack traces and environment variables if rocket::config::Config::debug() is enabled. These error pages can leak database credentials, API keys, and internal paths.
3. Missing Rate Limiting
Rocket has no built-in rate limiting. Without middleware, APIs are vulnerable to brute force attacks, credential stuffing, and DoS attempts. The rocket-ratelimit crate provides basic protection but requires explicit configuration.
4. Insecure Default Headers
Rocket doesn't set security headers by default. Missing X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy headers leave APIs vulnerable to MIME sniffing, clickjacking, and XSS attacks.
5. Database Connection Pool Exposure
Rocket's connection pool management can inadvertently expose database connections if request guards aren't properly scoped. A misconfigured guard might allow database access to unauthenticated endpoints, leading to data exposure.
Security Hardening Checklist
1. Configure Secure CORS
Replace default CORS with specific origins:
use rocket_cors::{Cors, AllowedOrigins};
let cors = Cors::from_options(AllowedOrigins::some_exact(&["https://example.com"]), // allowed origins
&Default::default(), // allow all methods
&Default::default(), // allow all headers
&Default::default(), // allow all credentials
&Default::default()).unwrap();
2. Enable Security Headers
Add a fairing for security headers:
use rocket::http::Header;
#[derive(Default)]
struct SecurityHeaders;
#[rocket::async_trait]
impl rocket::fairing::Fairing for SecurityHeaders {
fn info(&self) -> rocket::fairing::Info {
rocket::fairing::Info {
name: "Security Headers",
kind: rocket::fairing::Kind::Response,
}
}
async fn on_response(
&self,
_request: &rocket::Request<'_>,
response: &mut rocket::Response<'_>,
) {
response.adjoin_header(Header::new("X-Content-Type-Options", "nosniff"));
response.adjoin_header(Header::new("X-Frame-Options", "DENY"));
response.adjoin_header(Header::new("X-XSS-Protection", "1; mode=block"));
response.adjoin_header(Header::new("Referrer-Policy", "strict-origin-when-cross-origin"));
}
}
3. Implement Rate Limiting
Configure request rate limits:
use rocket_ratelimit::{RateLimit, RateLimitState};
#[get("/protected")]
#[rate_limit(5, 60)] // 5 requests per 60 seconds
async fn protected() -> &'static str {
"Access granted"
}
4. Secure Error Handling
Customize error catchers to prevent information disclosure:
use rocket::response::content;
#[catch(500)]
fn internal_error() -> content::Html<&'static str> {
content::Html("<h1>Internal Server Error</h1><p>Something went wrong. Please try again later.</p>")
}
#[catch(404)]
fn not_found() -> content::Html<&'static str> {
content::Html("<h1>Not Found</h1><p>The requested resource was not found.</p>")
}
5. Secure Database Access
Scope database connections to authenticated requests only:
use rocket::request::{self, FromRequest};
use rocket::outcome::Outcome;
use rocket::Request;
struct AuthenticatedDbConn(SqliteConnection);
#[rocket::async_trait]
impl<'r> FromRequest<'r> for AuthenticatedDbConn {
type Error = ();
async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
let auth = request.guard::<Auth>().await;
match auth {
Outcome::Success(_) => {
let db = request.guard::<Db<SqliteConnection>>().await;
match db {
Outcome::Success(db) => Outcome::Success(AuthenticatedDbConn(db.get().clone())),
_ => Outcome::Failure((Status::ServiceUnavailable, ())),
}
}
_ => Outcome::Forward(()),
}
}
}
Frequently Asked Questions
How does Rocket's type safety affect API security?
Rocket's strong type system prevents many common vulnerabilities at compile time. Request data is automatically parsed into typed structures, eliminating manual parsing errors that often lead to injection attacks. The framework's route guards ensure only properly authenticated and authorized requests reach your handlers. However, type safety doesn't prevent logic errors—developers must still validate business rules and implement proper authorization checks.
Can middleBrick scan Rocket APIs for security vulnerabilities?
Yes, middleBrick can scan any Rocket API endpoint without requiring access to source code or credentials. The scanner tests the unauthenticated attack surface, checking for vulnerabilities like broken object level authorization (BOLA), rate limiting weaknesses, and data exposure. middleBrick's LLM security checks are particularly valuable for Rocket APIs that integrate with AI services, detecting prompt injection vulnerabilities and excessive agency patterns that could lead to data exfiltration.
What are the most critical Rocket security misconfigurations?
The most critical misconfigurations in Rocket are: leaving CORS wide open to all origins, running with debug information enabled in production, omitting rate limiting on sensitive endpoints, failing to set security headers, and improperly scoping database connections. These issues can lead to data breaches, account takeovers, and service disruptions. middleBrick's security scanning can identify these misconfigurations by testing your API's actual behavior rather than just reviewing configuration files.