Missing Tls in Adonisjs with Api Keys

Transport Layer Security (TLS) ensures confidentiality and integrity in transit. When an AdonisJS API that uses API keys does not enforce TLS, keys can be captured in cleartext, enabling unauthorized access to protected endpoints. AdonisJS applications often expose routes for key issuance, validation, and rotation; without HTTPS, these exchanges are vulnerable to on-path interception on shared or compromised networks.

In practice, a missing TLS configuration means API keys are sent as HTTP headers (e.g., X-API-Key) in cleartext. An attacker conducting passive sniffing or a man-in-the-middle (MITM) attack can observe, log, and reuse these credentials. Because API keys typically grant access to sensitive endpoints, their exposure can lead to data exfiltration, privilege escalation, or abuse of rate-limited resources. The risk is compounded when combined with insecure default bindings (e.g., listening on all interfaces without redirecting HTTP to HTTPS) or when keys are embedded in client-side code or logs that traverse unencrypted channels.

When scanning an AdonisJS endpoint with API key authentication but without TLS, middleBrick’s Encryption check flags the absence of HTTPS and maps findings to OWASP API Top 10 (2023) A02:2023 — Cryptographic Failures and A01:2021 — Broken Access Control due to exposed credentials. The scan also checks whether API key handling practices over HTTP can lead to sensitive data exposure, reinforcing findings related to Data Exposure and Authentication. Even in unauthenticated scans, a lack of enforced transport security is detectable because the service responds over HTTP and does not redirect to HTTPS, indicating weak transport-layer hygiene.

To remediate missing TLS in AdonisJS when using API keys, enforce HTTPS at the infrastructure and application levels and ensure keys are handled securely over encrypted channels. Below are concrete, syntactically correct examples for an AdonisJS project using the @adonisjs/https helper and environment-based configuration.

1. Enforce HTTPS redirection and secure server binding

Ensure the server listens on HTTPS and redirects HTTP to HTTPS. Use environment variables for certificates and ports.

// start/hooks.ts
import { defineHooks } from '@adonisjs/core/app'

export default defineHooks(({ httpsPort, httpPort, httpsServer, httpServer }) => {
  httpServer?.on('request', (req, res) => {
    res.statusCode = 301
    res.setHeader('Location', `https://${req.headers.host}${req.url}`)
    res.end()
  })

  return {
    httpsServer,
    httpServer,
  }
})

Configure start/server.ts to load TLS materials securely:

// start/server.ts
import { defineConfig } from '@adonisjs/core/app'

export default defineConfig({
  https: {
    key: process.env.HTTPS_KEY_PATH || 'path/to/key.pem',
    cert: process.env.HTTPS_CERT_PATH || 'path/to/cert.pem',
  },
  port: Number(process.env.HTTPS_PORT) || 443,
  hostname: '0.0.0.0',
})

2. Secure API key validation middleware over HTTPS

Implement middleware that validates API keys and ensure it is only reachable via HTTPS. Do not leak keys in URLs or logs.

// middleware/api_key.ts
import { Exception } from '@adonisjs/core/build/standalone'

export default async function apiKeyAuth(ctx: HttpContextContract) {
  const provided = ctx.request.header('X-API-Key')
  const expected = process.env.API_KEY

  if (!provided || !expected || provided !== expected) {
    throw new Exception('Unauthorized', 401, 'invalid_api_key')
  }

  // Proceed only if TLS is verified (HTTPS)
  ctx.response.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
  await next()
}

3. Environment and runtime protection

Never commit keys to source control. Use .env and ensure the application rejects insecure HTTP requests in production.

# .env
HTTPS_KEY_PATH=/etc/ssl/private/server.key
HTTPS_CERT_PATH=/etc/ssl/certs/server.crt
HTTPS_PORT=443
API_KEY=sk_live_abcdef1234567890

In your route definitions, apply the middleware exclusively over HTTPS routes:

// routes/api.ts
import Route from '@ioc:Adonis/Core/Route'
import apiKeyAuth from 'App/Middleware/api_key'

Route.group(() => {
  Route.get('/secure/resource', async ({ json }) => {
    return { data: 'protected over TLS' }
  }).middleware([apiKeyAuth])
}).prefix('api/v1').enableBodyTracking()

4. Infrastructure and deployment considerations

Use a reverse proxy or load balancer to terminate TLS and forward validated requests to AdonisJS over a private, trusted network. Rotate API keys regularly and bind them to IP or scope constraints where feasible. Ensure logs do not capture raw API keys by sanitizing headers before writing to stdout or files.